[dev] [dmenu] [PATCH] Fix buffer overrun problem on Tab keypress.

From: Alexander Sedov <alex0player_AT_gmail.com>
Date: Tue, 26 Mar 2013 03:50:13 +0400

---
When trying to Tab-complete on strings with length >= BUFSIZ, dmenu incorrectly
handles copying and then calls strlen() on non-null-terminated buffer.
On my system, this led to freeze rather that just crash, which is much worse
due to dmenu grabbing keyboard.
This patch fixes that behaviour with the most correct one.
An arguably better solution would be to use strlcpy() instead of strncpy(),
but it's not in POSIX, not in string.h, and requires -lbsd, all of which are
really sad.
 dmenu.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/dmenu.c b/dmenu.c
index 3962801..86f8c46 100644
--- a/dmenu.c
+++ b/dmenu.c
_AT_@ -380,7 +380,8 @@ keypress(XKeyEvent *ev) {
 	case XK_Tab:
 		if(!sel)
 			return;
-		strncpy(text, sel->text, sizeof text);
+		strncpy(text, sel->text, sizeof text - 1);
+		text[sizeof text - 1] = '\0';
 		cursor = strlen(text);
 		match();
 		break;
-- 
1.7.10.4
Received on Tue Mar 26 2013 - 00:50:13 CET

This archive was generated by hypermail 2.3.0 : Tue Mar 26 2013 - 01:00:06 CET