From: Matthew Fernandez Date: Sat, 29 May 2021 20:15:54 +0000 (-0700) Subject: fix out of bounds read when examining a registered plugin with a long name X-Git-Tag: 2.47.3~15^2~7 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b7ab287ae8b4b0fd78525b87094ef1f33045888c;p=graphviz fix out of bounds read when examining a registered plugin with a long name Similar to the previous commit, the GVC plugin loading code copies the names of registered plugins to a temporary buffer as it iterates through them to allow mutating the name. And just like the code for mutating the name of the plugin begin loaded, it would fail to NUL-terminate this temporary buffer, causing a following strchr to over-read. The fix again is to simply zero-initialize the temporary buffer, so the copied-in string is always NUL-terminated. --- diff --git a/CHANGELOG.md b/CHANGELOG.md index bb93b41aa..f19477bc1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - out of bounds read when attempting to load a plugin whose name is ≥63 characters +- out of bounds read when examining a registered plugin whose name is ≥63 + characters ## [2.47.2] - 2021-05-26 diff --git a/lib/gvc/gvplugin.c b/lib/gvc/gvplugin.c index f70f7d166..254900d4c 100644 --- a/lib/gvc/gvplugin.c +++ b/lib/gvc/gvplugin.c @@ -262,7 +262,7 @@ gvplugin_available_t *gvplugin_load(GVC_t * gvc, api_t api, const char *str) gvplugin_api_t *apis; gvplugin_installed_t *types; #define TYPBUFSIZ 64 - char reqtyp[TYPBUFSIZ] = {0}, typ[TYPBUFSIZ]; + char reqtyp[TYPBUFSIZ] = {0}, typ[TYPBUFSIZ] = {0}; char *reqdep, *dep = NULL, *reqpkg; int i; api_t apidep;