01: check if class string is valid first, then make sure buffer is 0 terminated

Rasterman Fri, 04 Oct 2013 00:54:57 -0700

raster pushed a commit to branch master.

http://git.enlightenment.org/core/enlightenment.git/commit/?id=1c92e22eb2748d1557f5fe4a11f62de58ec2659b


commit 1c92e22eb2748d1557f5fe4a11f62de58ec2659b
Author: Carsten Haitzler (Rasterman) <ras...@rasterman.com>
Date:   Fri Oct 4 16:48:21 2013 +0900

    check if class string is valid first, then make sure buffer is 0 terminated
    
    i got a segv in an strncpy... but the bt missed telling me anything
    other than it was in _e_border_eval(). gdb wouldn't help.
    
    Thread 1 (Thread 0xb7859780 (LWP 1377)):
    No symbol table info available.
    No locals.
    No symbol table info available.
    No locals.
        at /usr/include/i386-linux-gnu/bits/string3.h:121
        buf = '\000' <repeats 4095 times>
        s = <optimized out>
        event = <optimized out>
        pnd = <optimized out>
        rem_change = 1
        send_event = 1
    
    since this is the only strncpy, i can only conclude that something is
    fishy about the src or dest buffer, and i can only guess that the
    strncpy is directly in e_border.c (though it could have come from an
    inline func or macro form eina etc.)... but it's the best guess i have.
    
    the strncpy will have problems if bd->client.icccm.class > 4096 in
    size. buf will not be nul terminated then:
    
           The strncpy() function is similar, except that at most n bytes of  
src
           are  copied.  Warning: If there is no null byte among the first n 
bytes
           of src, the string placed in dest will not be null-terminated.
    
    as per manpage. so there was a lurking bug with a non 0 terminated
    buffer.  also added check for bd->client.icccm.class as it could be
    null...
---
 src/bin/e_border.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/bin/e_border.c b/src/bin/e_border.c
index 8f3f1a6..8afc399 100644
--- a/src/bin/e_border.c
+++ b/src/bin/e_border.c
@@ -8963,11 +8963,12 @@ _e_border_eval(E_Border *bd)
                   snprintf(buf, sizeof(buf), "%s.desktop", 
bd->client.icccm.class);
                   bd->desktop = efreet_util_desktop_file_id_find(buf);
                }
-             if (!bd->desktop)
+             if ((!bd->desktop) && (bd->client.icccm.class))
                {
-                  char buf[4096] = {0}, *s;
+                  char buf[4096], *s;
 
-                  strncpy(buf, bd->client.icccm.class, sizeof(buf));
+                  strncpy(buf, bd->client.icccm.class, sizeof(buf) - 1);
+                  buf[sizeof(buf) - 1] = 0;
                   s = buf;
                   eina_str_tolower(&s);
                   if (strcmp(s, bd->client.icccm.class))

--

[EGIT] [core/enlightenment] master 01/01: check if class string is valid first, then make sure buffer is 0 terminated

Reply via email to