From 2efac45c44320528868ec0af2295158915e09774 Mon Sep 17 00:00:00 2001 From: Matthew Fernandez Date: Sat, 29 May 2021 13:08:16 -0700 Subject: [PATCH] fix out of bounds read when loading a plugin with a long name The GVC plugin loading code copies the first 63 characters of the name of a plugin to a temporary buffer in order to do various string manipulation on it. However, this buffer was not initialized and never manually terminated. As a result, a plugin name of 63 characters or more would result in the buffer containing a non-terminated string. Subsequent strchr on this buffer would over-read if it never saw a ':', resulting in unpredictable behavior. This fix simply zero-initializes the buffer to begin with, so the copied-in string is always NUL-terminated. --- CHANGELOG.md | 5 +++++ lib/gvc/gvplugin.c | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 850666ca8..bb93b41aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - no longer pass libcommon to the linker twice in mm2gv when building with CMake - Quartz plugin is now compiled with explicit `--tag=CC` to libtool #2065 +### Fixed + +- out of bounds read when attempting to load a plugin whose name is ≥63 + characters + ## [2.47.2] - 2021-05-26 ### Added diff --git a/lib/gvc/gvplugin.c b/lib/gvc/gvplugin.c index f4383c19c..f70f7d166 100644 --- a/lib/gvc/gvplugin.c +++ b/lib/gvc/gvplugin.c @@ -262,7 +262,7 @@ gvplugin_available_t *gvplugin_load(GVC_t * gvc, api_t api, const char *str) gvplugin_api_t *apis; gvplugin_installed_t *types; #define TYPBUFSIZ 64 - char reqtyp[TYPBUFSIZ], typ[TYPBUFSIZ]; + char reqtyp[TYPBUFSIZ] = {0}, typ[TYPBUFSIZ]; char *reqdep, *dep = NULL, *reqpkg; int i; api_t apidep; -- 2.40.0