Hello Adam Majer!
Stumbled across your bug report while browsing over release-critical ones...
I haven't even looked at the lpe source, but just from looking at the
hunk included as context in your patch it looks like the source
could really use some wider review then just targeted fixes.
On Tue, Dec 23, 2014 at 09:34:20AM -0600, Adam Majer wrote:
[...]
> diff -u lpe-1.2.7/src/buffer.c lpe-1.2.7/src/buffer.c
> --- lpe-1.2.7/src/buffer.c 2014-06-23 22:53:33.582593198 -0500
> +++ lpe-1.2.7/src/buffer.c 2014-12-23 09:08:54.888625050 -0600
> @@ -158,8 +158,8 @@
> int (*accept) (buffer *);
>
Consider the case where strlen(ent->d_name) == basename_len.
> if (strlen(ent->d_name) > basename_len) {
This should probably use >= . ^^^^
The strlen() function calculates the length of the string s,
=> excluding the terminating null byte ('\0').
> - basename_len = strlen(ent->d_name) + 1;
> - name = realloc(name, (basename-name) + basename_len);
> + basename_len = strlen(ent->d_name);
> + name = realloc(name, (basename-name) + basename_len + 1);
> basename = name + basename_off;
> }
> strcpy (basename, ent->d_name);
The strcpy() function copies the string pointed to by src,
=> including the terminating null byte ('\0'), ...
As mentioned, I haven't looked at the full source so I might very well
be missing something. As I understood it this is the second attempt at
fixing an issue here. Possibly a wider review of how to avoid
off-by-one in the entire source could be useful.
Regards,
Andreas Henriksson
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
