38 lines
1.4 KiB
Plaintext
38 lines
1.4 KiB
Plaintext
$OpenBSD: patch-src_rxvtfont_c,v 1.1.1.1 2010/05/03 16:35:20 dcoppa Exp $
|
|
|
|
Fix possible off-by-one buffer overflows by replacing every call of
|
|
strcpy, strcat, sprintf by respectively strlcpy, strlcat and snprintf.
|
|
-- 2010-04-16 Thomas de Grivel <billitch@gmail.com>
|
|
|
|
diff -ruN rxvt-unicode-9.07.orig/src/rxvtfont.C rxvt-unicode-9.07/src/rxvtfont.C
|
|
--- src/rxvtfont.C.orig Sat Apr 4 23:27:28 2009
|
|
+++ src/rxvtfont.C Tue Apr 27 18:13:09 2010
|
|
@@ -632,10 +632,13 @@ replace_field (char **ptr, const char *name, int index
|
|
if (slashes >= 13 && (!old || *field == old))
|
|
{
|
|
size_t len = field - name;
|
|
- *ptr = (char *)malloc (len + strlen (replace) + strlen (end) + 1);
|
|
+ size_t len_replace = strlen (replace);
|
|
+ size_t len_end = strlen (end);
|
|
+ *ptr = (char *)malloc (len + len_replace + len_end + 1);
|
|
memcpy (*ptr, name, len);
|
|
- strcpy (*ptr + len, replace);
|
|
- strcat (*ptr, end);
|
|
+ memcpy (*ptr + len, replace, len_replace);
|
|
+ memcpy (*ptr + len + len_replace, end, len_end);
|
|
+ (*ptr)[len + len_replace + len_end] = 0;
|
|
|
|
return true;
|
|
}
|
|
@@ -696,8 +699,8 @@ rxvt_font_x11::load (const rxvt_fontprop &prop, bool f
|
|
}
|
|
}
|
|
|
|
- sprintf (field_str, "%d", prop.height == rxvt_fontprop::unset
|
|
- ? 0 : prop.height);
|
|
+ snprintf (field_str, sizeof (field_str), "%d",
|
|
+ prop.height == rxvt_fontprop::unset ? 0 : prop.height);
|
|
|
|
struct font_weight {
|
|
char *name;
|