On Thu, Dec 03, 2020 at 03:48:00PM +0100, Christian Weisgerber wrote: > Claudio Jeker: > > > In tal_parse() use strndup() to create the tal descr instead of the more > > complex malloc, memcpy version. Result is the same but the strndup version > > is a lot nicer. > > Yes, but... > > > --- tal.c 11 Oct 2020 12:39:25 -0000 1.22 > > +++ tal.c 3 Dec 2020 12:00:25 -0000 > > @@ -198,10 +198,8 @@ tal_parse(const char *fn, char *buf) > > dlen = strlen(d); > > if (strcasecmp(d + dlen - 4, ".tal") == 0) > > dlen -= 4; > > That looks like a potential out-of-bounds access. Are we guaranteed > that dlen >= 4 here?
Indeed, that strcasecmp should only be done if dlen > 4. I'll change that. > > - if ((p->descr = malloc(dlen + 1)) == NULL) > > + if ((p->descr = strndup(d, dlen)) == NULL) > > err(1, NULL); > > - memcpy(p->descr, d, dlen); > > - p->descr[dlen] = '\0'; > > > > return p; > > } > > ok -- :wq Claudio
