From d9dbca415a8181d4437dfafde802753819511217 Mon Sep 17 00:00:00 2001
From: Matthew Fernandez <matthew.fernandez@gmail.com>
Date: Sat, 24 Oct 2020 09:17:54 -0700
Subject: [PATCH] fix a buffer overflow in string construction

The conditional in this code was the wrong way around. So the %s branch could be
taken only when the resulting sprintf would *definitely* overflow the target
buffer. From this we can conclude this branch was never safe and never used
correctly. For simplicity, we remove it, leaving only the %d option. Related to
!1620.
---
 CHANGELOG.md        | 1 +
 lib/fdpgen/layout.c | 9 +--------
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 46a1cc671..471265773 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -61,6 +61,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - make fails if ps2pdf is not installed (using autotools) #1763
 - multiple graphs to file output causes a segfault #1845
 - lefty PTY functionality relies on file descriptor implementation details #1823
+- buffer overflow in fdpgen
 
 ## [2.44.1] - 2020-06-29
 
diff --git a/lib/fdpgen/layout.c b/lib/fdpgen/layout.c
index a1ad9178c..e0bf9d6d9 100644
--- a/lib/fdpgen/layout.c
+++ b/lib/fdpgen/layout.c
@@ -310,8 +310,7 @@ static void addCluster(clist_t * clist, graph_t * subg)
 
 /* portName:
  * Generate a name for a port.
- * We use the name of the subgraph and names of the nodes on the edge,
- * if possible. Otherwise, we use the ids of the nodes.
+ * We use the ids of the nodes.
  * This is for debugging. For production, just use edge id and some
  * id for the graph. Note that all the graphs are subgraphs of the
  * root graph.
@@ -322,13 +321,7 @@ static char *portName(graph_t * g, bport_t * p)
     node_t *h = aghead(e);
     node_t *t = agtail(e);
     static char buf[BSZ + 1];
-    int len = 8;
 
-    len += strlen(agnameof(g)) + strlen(agnameof(h)) + strlen(agnameof(t));
-    if (len >= BSZ)
-	sprintf(buf, "_port_%s_%s_%s_%ld", agnameof(g), agnameof(t), agnameof(h),
-		(uint64_t)AGSEQ(e));
-    else
 	sprintf(buf, "_port_%s_(%d)_(%d)_%ld",agnameof(g), ND_id(t), ND_id(h),
 		(uint64_t)AGSEQ(e));
     return buf;
-- 
2.40.0