Attachment 875665 Details for Bug 916028 – [PATCH] vfat: fix out-of-bounds write in autorename

[patch] [PATCH] vfat: fix out-of-bounds write in autorename

0001-vfat-fix-out-of-bounds-write-in-autorename.patch (text/plain), 1.08 KB, created by Arsen Arsenović on 2023-11-25 22:46:49 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Arsen Arsenović

Created: 2023-11-25 22:46:49 UTC

Size: 1.08 KB

patch

obsolete

>From 4ed6e0ce2503d56e2638b235adbe78524c22caa9 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Arsen=20Arsenovi=C4=87?= <arsen@gentoo.org>
>Date: Sat, 25 Nov 2023 23:27:15 +0100
>Subject: [PATCH] vfat: fix out-of-bounds write in autorename
>
>In vfat.c:autorename, the rename routine updates the trailing two
>characters of the non-null-terminated dos_name::base using sprintf,
>however, sprintf writes a null terminator one past the end of the
>buffer.  To prevent this, we can use snprintf with and pass it the
>correct output buffer size.
>
>Detected via _FORTIFY_SOURCE=3.
>
>Bug: https://bugs.gentoo.org/916028
>---
> vfat.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/vfat.c b/vfat.c
>index 5247d99..ab23098 100644
>--- a/vfat.c
>+++ b/vfat.c
>@@ -127,7 +127,7 @@ static void autorename(char *name,
> 
> 	tmp = name[dotpos];
> 	if((bump && seqnum == 1) || seqnum > 1 || mtools_numeric_tail)
>-		sprintf(name+tildapos,"%c%d",tilda, seqnum);
>+		snprintf(name+tildapos,limit-tildapos,"%c%d",tilda, seqnum);
> 	if(dot)
> 	    name[dotpos]=tmp;
> 	/* replace the character if it wasn't a space */
>-- 
>2.43.0
>

Actions: View | Diff

Attachments on bug 916028: 875665