From 2ea16b8969850fd2952ca80239cf37e77d0e7edd Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Mon, 29 Aug 2011 08:49:19 -0700 Subject: [PATCH 1/1] * dbusbind.c (xd_signature, Fdbus_register_signal): Do not overrun buffer; instead, report string overflow. --- src/ChangeLog | 3 +++ src/dbusbind.c | 41 ++++++++++++++++++++++------------------- 2 files changed, 25 insertions(+), 19 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index d60c57dfd5..307174268b 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -20,6 +20,9 @@ (esprintf, esnprintf, exprintf, evxprintf): New decls. * window.h (command_loop_level, minibuf_level): Reflect API changes. + * dbusbind.c (xd_signature, Fdbus_register_signal): + Do not overrun buffer; instead, report string overflow. + 2011-08-26 Paul Eggert Integer and memory overflow issues (Bug#9196). diff --git a/src/dbusbind.c b/src/dbusbind.c index 4828f4e968..005d521c1d 100644 --- a/src/dbusbind.c +++ b/src/dbusbind.c @@ -271,6 +271,7 @@ xd_signature (char *signature, unsigned int dtype, unsigned int parent_type, Lis { unsigned int subtype; Lisp_Object elt; + char const *subsig; char x[DBUS_MAXIMUM_SIGNATURE_LENGTH]; elt = object; @@ -328,12 +329,13 @@ xd_signature (char *signature, unsigned int dtype, unsigned int parent_type, Lis if (NILP (elt)) { subtype = DBUS_TYPE_STRING; - strcpy (x, DBUS_TYPE_STRING_AS_STRING); + subsig = DBUS_TYPE_STRING_AS_STRING; } else { subtype = XD_OBJECT_TO_DBUS_TYPE (CAR_SAFE (elt)); xd_signature (x, subtype, dtype, CAR_SAFE (XD_NEXT_VALUE (elt))); + subsig = x; } /* If the element type is DBUS_TYPE_SIGNATURE, and this is the @@ -342,7 +344,7 @@ xd_signature (char *signature, unsigned int dtype, unsigned int parent_type, Lis if ((subtype == DBUS_TYPE_SIGNATURE) && STRINGP (CAR_SAFE (XD_NEXT_VALUE (elt))) && NILP (CDR_SAFE (XD_NEXT_VALUE (elt)))) - strcpy (x, SSDATA (CAR_SAFE (XD_NEXT_VALUE (elt)))); + subsig = SSDATA (CAR_SAFE (XD_NEXT_VALUE (elt))); while (!NILP (elt)) { @@ -351,7 +353,10 @@ xd_signature (char *signature, unsigned int dtype, unsigned int parent_type, Lis elt = CDR_SAFE (XD_NEXT_VALUE (elt)); } - sprintf (signature, "%c%s", dtype, x); + if (esnprintf (signature, DBUS_MAXIMUM_SIGNATURE_LENGTH, + "%c%s", dtype, subsig) + == DBUS_MAXIMUM_SIGNATURE_LENGTH - 1) + string_overflow (); break; case DBUS_TYPE_VARIANT: @@ -2026,7 +2031,7 @@ usage: (dbus-register-signal BUS SERVICE PATH INTERFACE SIGNAL HANDLER &rest ARG DBusConnection *connection; ptrdiff_t i; char rule[DBUS_MAXIMUM_MATCH_RULE_LENGTH]; - char x[DBUS_MAXIMUM_MATCH_RULE_LENGTH]; + int rulelen; DBusError derror; /* Check parameters. */ @@ -2071,34 +2076,32 @@ usage: (dbus-register-signal BUS SERVICE PATH INTERFACE SIGNAL HANDLER &rest ARG connection = xd_initialize (bus, TRUE); /* Create a rule to receive related signals. */ - sprintf (rule, - "type='signal',interface='%s',member='%s'", - SDATA (interface), - SDATA (signal)); + rulelen = esnprintf (rule, sizeof rule, + "type='signal',interface='%s',member='%s'", + SDATA (interface), + SDATA (signal)); /* Add unique name and path to the rule if they are non-nil. */ if (!NILP (uname)) - { - sprintf (x, ",sender='%s'", SDATA (uname)); - strcat (rule, x); - } + rulelen += esnprintf (rule + rulelen, sizeof rule - rulelen, + ",sender='%s'", SDATA (uname)); if (!NILP (path)) - { - sprintf (x, ",path='%s'", SDATA (path)); - strcat (rule, x); - } + rulelen += esnprintf (rule + rulelen, sizeof rule - rulelen, + ",path='%s'", SDATA (path)); /* Add arguments to the rule if they are non-nil. */ for (i = 6; i < nargs; ++i) if (!NILP (args[i])) { CHECK_STRING (args[i]); - sprintf (x, ",arg%"pD"d='%s'", i - 6, - SDATA (args[i])); - strcat (rule, x); + rulelen += esnprintf (rule + rulelen, sizeof rule - rulelen, + ",arg%"pD"d='%s'", i - 6, SDATA (args[i])); } + if (rulelen == sizeof rule - 1) + string_overflow (); + /* Add the rule to the bus. */ dbus_error_init (&derror); dbus_bus_add_match (connection, rule, &derror); -- 2.39.2