Nathanael Nerode <neroden@twcny.rr.com> writes:
I was told that this is in fact the correct way to solve the buffer
overflow problem. What do I know? Nothing. So I'm throwing it to the list.
...
- sprintf (tmp_filename, "%200s/gnat-XXXXXX", tmpdir);
+ sprintf (tmp_filename, "%.200s/gnat-XXXXXX", tmpdir);
Yes, in the sense that %200s won't stop it overflowing the buffer and
%.200s will. No, in the sense that this fails in an unpredictable
manner if the string is too long.
The actual length of the buffer is __gnat_max_path_len-1 bytes (since
these C routines require one byte for a terminator), so the _proper_
fix would look more like
tmpdir = getenv (TMPDIR);
tmplen = strlen (tmplen);
if (tmplen + sizeof "/gnat-XXXXXX" >= __gnat_max_path_len)
// signal an error
sprintf(tmp_filename, "%s/gnat-XXXXXX", tmpdir); // now safe
zw
OK, someone please write a patch which is correct and commit it as
obvious. *rolls eyes* Maybe I'll reopen the bug. This type of
material is so not my field.