Просмотр исходного кода

lib/dpkg/test/t-ar.c: fix buffer overflow in ar test

t-ar overflows arh.ar_name by two bytes: one because the string it uses
is 17 bytes long rather than 16, and one because it uses strcpy which
writes a trailing \0.  When compiling with -D_FORTIFY_SOURCE=2, as
Ubuntu does by default, this crashes.  Fix the string length and stop
null-terminating it.
Colin Watson лет назад: 16
Родитель
Сommit
db0b70bc26
2 измененных файлов с 5 добавлено и 2 удалено
  1. 3 0
      debian/changelog
  2. 2 2
      lib/dpkg/test/t-ar.c

+ 3 - 0
debian/changelog

@@ -14,6 +14,9 @@ dpkg (1.15.8) UNRELEASED; urgency=low
   * Clarify description of dpkg --configure in dpkg(1). Thanks to Colin Watson
     for the patch and to Robert Persson for the report.
     Closes: #582406 LP: #77287
+  * Fix the non-regression test lib/dpkg/test/t-ar.c by not overflowing the
+    size of ar_name. Thanks to Colin Watson for the report, analysis and patch.
+    Closes: #582401
 
   [ Guillem Jover ]
   * Require gettext 0.18:

+ 2 - 2
lib/dpkg/test/t-ar.c

@@ -29,11 +29,11 @@ test_ar_normalize_name(void)
 {
 	struct ar_hdr arh;
 
-	strcpy(arh.ar_name, "member-name/     ");
+	strncpy(arh.ar_name, "member-name/    ", sizeof(arh.ar_name));
 	dpkg_ar_normalize_name(&arh);
 	test_str(arh.ar_name, ==, "member-name");
 
-	strcpy(arh.ar_name, "member-name      ");
+	strncpy(arh.ar_name, "member-name     ", sizeof(arh.ar_name));
 	dpkg_ar_normalize_name(&arh);
 	test_str(arh.ar_name, ==, "member-name");
 }