fix out of bounds read when examining a registered plugin with a long name

Similar to the previous commit, the GVC plugin loading code copies the names of
registered plugins to a temporary buffer as it iterates through them to allow
mutating the name. And just like the code for mutating the name of the plugin
begin loaded, it would fail to NUL-terminate this temporary buffer, causing a
following strchr to over-read.

The fix again is to simply zero-initialize the temporary buffer, so the
copied-in string is always NUL-terminated.

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bb93b41aad9b36adf1cb2cb6d2c72b04e40211a0..f19477bc14cd3a0c28ca75927cc5a0d8d42508fe 100644 (file)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - out of bounds read when attempting to load a plugin whose name is ≥63
   characters
+- out of bounds read when examining a registered plugin whose name is ≥63
+  characters
 
 ## [2.47.2] - 2021-05-26
 

diff --git a/lib/gvc/gvplugin.c b/lib/gvc/gvplugin.c
index f70f7d16688236bbd5e3e96852f40d39acf9180f..254900d4cc57fda3f1e04fc446bf96190b570eb4 100644 (file)
--- a/lib/gvc/gvplugin.c
+++ b/lib/gvc/gvplugin.c
@@ -262,7 +262,7 @@ gvplugin_available_t *gvplugin_load(GVC_t * gvc, api_t api, const char *str)
     gvplugin_api_t *apis;
     gvplugin_installed_t *types;
 #define TYPBUFSIZ 64
-    char reqtyp[TYPBUFSIZ] = {0}, typ[TYPBUFSIZ];
+    char reqtyp[TYPBUFSIZ] = {0}, typ[TYPBUFSIZ] = {0};
     char *reqdep, *dep = NULL, *reqpkg;
     int i;
     api_t apidep;