Source: imview Version: 1.1.9c-9 Severity: important Tags: patch I had a quick look at some of the code of imview and noticed some code snippets that use the result strncpy in a dangerous way. In readUserPrefs one can smash the stack if either IMVIEWHOME or HOME have contain more than DFLTSTRLEN characters since strncpy won't terminate prefpath in that case.
I didn't check for more occurrences other than those fixed in the patch, but there might be more. Regards -- Sebastian Ramacher
--- a/imview.cxx
+++ b/imview.cxx
@@ -1251,11 +1251,14 @@
// read the user preferences if present
if (((p = getenv("IMVIEWHOME")) != 0) || ((p = getenv("HOME")) != 0)) {
strncpy(prefpath, p, DFLTSTRLEN);
+ prefpath[DFLTSTRLEN - 1] = '\0';
+
// keep these potential paths as the install path
snprintf(installpath, DFLTSTRLEN, "%s%c%s", prefpath, PATHSEP, PrefPath);
} else {
snprintf(prefpath, DFLTSTRLEN, ".%c%s", PATHSEP, PrefPath); // look in the default installation directory (long shot)
strncpy(installpath, prefpath, DFLTSTRLEN);
+ installpath[DFLTSTRLEN - 1] = '\0';
}
#ifdef MACOSX_CARBON
@@ -1274,7 +1277,8 @@
strcat(tmppath, "preferences");
dbgprintf("looking in %s\n", tmppath);
if (fileprefs->readprefs(tmppath)) {
- strcpy(currentprefspath, tmppath); // save the location of the prefs file
+ strncpy(currentprefspath, tmppath, DFLTSTRLEN); // save the location of the prefs file
+ currentprefspath[DFLTSTRLEN - 1] = '\0';
break; // found preferences, finished
} else { // no joy there, try next string if possible
if (prefpath[i] != '\0') {
@@ -2056,6 +2060,7 @@
#ifdef MACOSX_CARBON
char AppContainerPath[DFLTSTRLEN];
strncpy(AppContainerPath, runningpath, DFLTSTRLEN);
+ AppContainerPath[DFLTSTRLEN - 1] = '\0';
strncat(AppContainerPath, "/../Resources", DFLTSTRLEN);
clutpathlist[4] = AppContainerPath;
clutpathlist[5] = 0;
signature.asc
Description: Digital signature
