Source: imview Version: 1.1.9c-9 Severity: important Tags: patch I had a quick look at some of the code of imview and noticed some code snippets that use the result strncpy in a dangerous way. In readUserPrefs one can smash the stack if either IMVIEWHOME or HOME have contain more than DFLTSTRLEN characters since strncpy won't terminate prefpath in that case.
I didn't check for more occurrences other than those fixed in the patch, but there might be more. Regards -- Sebastian Ramacher
--- a/imview.cxx +++ b/imview.cxx @@ -1251,11 +1251,14 @@ // read the user preferences if present if (((p = getenv("IMVIEWHOME")) != 0) || ((p = getenv("HOME")) != 0)) { strncpy(prefpath, p, DFLTSTRLEN); + prefpath[DFLTSTRLEN - 1] = '\0'; + // keep these potential paths as the install path snprintf(installpath, DFLTSTRLEN, "%s%c%s", prefpath, PATHSEP, PrefPath); } else { snprintf(prefpath, DFLTSTRLEN, ".%c%s", PATHSEP, PrefPath); // look in the default installation directory (long shot) strncpy(installpath, prefpath, DFLTSTRLEN); + installpath[DFLTSTRLEN - 1] = '\0'; } #ifdef MACOSX_CARBON @@ -1274,7 +1277,8 @@ strcat(tmppath, "preferences"); dbgprintf("looking in %s\n", tmppath); if (fileprefs->readprefs(tmppath)) { - strcpy(currentprefspath, tmppath); // save the location of the prefs file + strncpy(currentprefspath, tmppath, DFLTSTRLEN); // save the location of the prefs file + currentprefspath[DFLTSTRLEN - 1] = '\0'; break; // found preferences, finished } else { // no joy there, try next string if possible if (prefpath[i] != '\0') { @@ -2056,6 +2060,7 @@ #ifdef MACOSX_CARBON char AppContainerPath[DFLTSTRLEN]; strncpy(AppContainerPath, runningpath, DFLTSTRLEN); + AppContainerPath[DFLTSTRLEN - 1] = '\0'; strncat(AppContainerPath, "/../Resources", DFLTSTRLEN); clutpathlist[4] = AppContainerPath; clutpathlist[5] = 0;
signature.asc
Description: Digital signature