From b15772853cffe20bf6499d52cd40b116e357b69b Mon Sep 17 00:00:00 2001 From: "Carsten Haitzler (Rasterman)" Date: Wed, 7 Nov 2018 16:14:16 +0000 Subject: [PATCH] elm test config - ensure buffer does't get overfilled with lots of profs the "let's use strncpy" brigade of course made sure to use it to "be secure" and yet still overtflow the buffer... this is a perfect lesson in DOP NOT USE strncpy unless you carefully think about the code and get it right. i mean things like: strncat(buf, profiles[i], strlen(profiles[i]) + 1); is blindly using strncpy ... and it's no better than strcpy, but mroe complex and giving the illusion of "it's safe". pay attention to your code people. please. thanks. --- src/bin/elementary/test_config.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/bin/elementary/test_config.c b/src/bin/elementary/test_config.c index 2f190921f8..243e080b80 100644 --- a/src/bin/elementary/test_config.c +++ b/src/bin/elementary/test_config.c @@ -84,10 +84,12 @@ _profile_update(Evas_Object *win) { for (i = 0; i < n; i++) { - if (i >= 1) strncat(buf, ", ", 2); - strncat(buf, profiles[i], strlen(profiles[i]) + 1); + if (strlen(buf) >= (sizeof(buf) - 3)) break; + if (i >= 1) strcat(buf, ", "); + if (strlen(buf) >= (sizeof(buf) - 1 - strlen(profiles[i]))) break; + strcat(buf, profiles[i]); } - strncat(buf, "", 4); + if (strlen(buf) < (sizeof(buf) - 5)) strcat(buf, ""); } elm_object_text_set(lb, buf); }