Author: truckman
Date: Thu May 26 01:33:24 2016
New Revision: 300705
URL: https://svnweb.freebsd.org/changeset/base/300705
Log:
Avoid buffer overflow when copying the input file name and appending .dat.
Check the return value from fread() to be sure that it was successful.
Reported by: Coverity
CID: 1006709, 1009452
MFC after: 1 week
Modified:
head/usr.bin/fortune/unstr/unstr.c
Modified: head/usr.bin/fortune/unstr/unstr.c
==============================================================================
--- head/usr.bin/fortune/unstr/unstr.c Thu May 26 01:19:13 2016
(r300704)
+++ head/usr.bin/fortune/unstr/unstr.c Thu May 26 01:33:24 2016
(r300705)
@@ -86,13 +86,19 @@ main(int argc, char *argv[])
exit(1);
}
Infile = argv[1];
- strcpy(Datafile, Infile);
- strcat(Datafile, ".dat");
+ if ((size_t)snprintf(Datafile, sizeof(Datafile), "%s.dat", Infile) >=
+ sizeof(Datafile))
+ errx(1, "%s name too long", Infile);
if ((Inf = fopen(Infile, "r")) == NULL)
err(1, "%s", Infile);
if ((Dataf = fopen(Datafile, "r")) == NULL)
err(1, "%s", Datafile);
- fread((char *)&tbl, sizeof(tbl), 1, Dataf);
+ if (fread((char *)&tbl, sizeof(tbl), 1, Dataf) != 1) {
+ if (feof(Dataf))
+ errx(1, "%s read EOF", Datafile);
+ else
+ err(1, "%s read", Datafile);
+ }
tbl.str_version = be32toh(tbl.str_version);
tbl.str_numstr = be32toh(tbl.str_numstr);
tbl.str_longlen = be32toh(tbl.str_longlen);
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
