On 2023/03/19 08:11:27 -0600, Todd C. Miller <mill...@openbsd.org> wrote: > The current code for extracting the token name from %{name} can be > simplified by computing the token name length. The existing code > copies "name}" to token[] using memcpy(), then strchr() to find the > '}' and replace it with a NUL. Using strchr() here is fragile since > token[] is not yet NUL-terminated. This is currently not a problem > since there is an earlier check for '}' in the source string but > it could be dangerous is the code changes further. > > I find it much simpler to compute the token name length, verify the > length, copy the bytes and then explicitly NUL-terminate token. > This results in less code and is more easily audited.
Agreed, I find it simpler too, and less fragile. > I've also removed the duplicate check for *(pbuf+1) != '{'. > > OK? (while I still have the details fresh in my mind) ok for me