diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2022-04-10 10:46:51 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2022-04-10 10:46:51 -0700 |
commit | a5c70489f99c8259d4770aeb96524a91395b8ab9 (patch) | |
tree | 7f23226d940421b3f59c682785b06f702c480907 | |
parent | 999691ffaef492d4bebea69605d274fa2023dfee (diff) | |
download | xorg-app-xauth-a5c70489f99c8259d4770aeb96524a91395b8ab9.tar.gz |
Fix off-by-one in quote-stripping routines
Reported by Oracle Parfait:
Error: Buffer overrun
Buffer overflow [buffer-overflow] (CWE 120):
In pointer dereference of key[(len - 1)] with index (len - 1)
Array size >= 1 bytes, index >= 1
at line 1647 of process.c in function 'do_add'.
Error: Buffer overrun
Buffer overflow [buffer-overflow] (CWE 120):
In pointer dereference of authdata[(authdatalen - 1)] with index (authdatalen - 1)
Array size is ??? bytes, index is ???
at line 1965 of process.c in function 'do_generate'.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r-- | process.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -1644,7 +1644,7 @@ do_add(const char *inputfilename, int lineno, int argc, const char **argv) return 1; } strncpy(key, hexkey+1, len-2); - key[len-1] = '\0'; + key[len-2] = '\0'; len -= 2; } else if (!strcmp(protoname, SECURERPC) || !strcmp(protoname, K5AUTH)) { @@ -1962,7 +1962,7 @@ do_generate(const char *inputfilename, int lineno, int argc, const char **argv) goto exit_generate; } strncpy(authdata, hexdata+1, authdatalen-2); - authdata[authdatalen-1] = '\0'; + authdata[authdatalen-2] = '\0'; authdatalen -= 2; } else { authdatalen = cvthexkey (hexdata, &authdata); |