On Tue, Sep 20, 2016 at 12:32:02PM +0300, Efraim Flashner wrote:
> > +diff --git a/src/lib/rules.c b/src/lib/rules.c
> > +index d193cc0..3a2aa46 100644
> > +--- a/lib/rules.c
> > ++++ b/lib/rules.c
> > +@@ -434,9 +434,8 @@ Mangle(input, control) /* returns a pointer to
> > a controlled Mangle */
> > + {
> > + int limit;
> > + register char *ptr;
> > +- static char area[STRINGSIZE];
> > +- char area2[STRINGSIZE];
> > +- area[0] = '\0';
> > ++ static char area[STRINGSIZE * 2] = {0};
> > ++ char area2[STRINGSIZE * 2] = {0};
> > + strcpy(area, input);
> > +
> > + for (ptr = control; *ptr; ptr++)
> > --
> > 2.10.0
> >
>
> not having looked at the full source of lib/rules.c, is there a maximum
> value to STRINGSIZE to make sure STRINGSIZE * 2 doesn't wrap around?STRINGSIZE is defined in 'lib/packer.h' as 1024: https://github.com/cracklib/cracklib/blob/cracklib-2.9.6/src/lib/packer.h#L11 I just looked at all the uses of STRINGSIZE in order to give a brief overview of how it's used, but I'm not skilled enough to recognize every case where it might be dangerous and overflow. STRINGSIZE is used to declare many char arrays, an array of pointers, and as an argument to fgets, snprintf, and strncpy. Also the object macro TRUNCSTRINGSIZE is defined as (STRINGSIZE / 4).
signature.asc
Description: PGP signature
