fix out of bounds read when loading a plugin with a long name

The GVC plugin loading code copies the first 63 characters of the name of a
plugin to a temporary buffer in order to do various string manipulation on it.
However, this buffer was not initialized and never manually terminated. As a
result, a plugin name of 63 characters or more would result in the buffer
containing a non-terminated string. Subsequent strchr on this buffer would
over-read if it never saw a ':', resulting in unpredictable behavior.

This fix simply zero-initializes the buffer to begin with, so the copied-in
string is always NUL-terminated.

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 850666ca85eb50ce28a8debdf00b559c6c35061d..bb93b41aad9b36adf1cb2cb6d2c72b04e40211a0 100644 (file)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - no longer pass libcommon to the linker twice in mm2gv when building with CMake
 - Quartz plugin is now compiled with explicit `--tag=CC` to libtool #2065
 
+### Fixed
+
+- out of bounds read when attempting to load a plugin whose name is ≥63
+  characters
+
 ## [2.47.2] - 2021-05-26
 
 ### Added

diff --git a/lib/gvc/gvplugin.c b/lib/gvc/gvplugin.c
index f4383c19c826cfa9e2edd13a7d183874a9e65225..f70f7d16688236bbd5e3e96852f40d39acf9180f 100644 (file)
--- a/lib/gvc/gvplugin.c
+++ b/lib/gvc/gvplugin.c
@@ -262,7 +262,7 @@ gvplugin_available_t *gvplugin_load(GVC_t * gvc, api_t api, const char *str)
     gvplugin_api_t *apis;
     gvplugin_installed_t *types;
 #define TYPBUFSIZ 64
-    char reqtyp[TYPBUFSIZ], typ[TYPBUFSIZ];
+    char reqtyp[TYPBUFSIZ] = {0}, typ[TYPBUFSIZ];
     char *reqdep, *dep = NULL, *reqpkg;
     int i;
     api_t apidep;