Bug 96677 - Properly terminate parsed environment values with '\0'.
Summary: Properly terminate parsed environment values with '\0'.
Status: RESOLVED FIXED
Alias: None
Product: libva
Classification: Unclassified
Component: core (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: haihao
QA Contact: Sean V Kelley
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-25 18:12 UTC by Tobias Stoeckmann
Modified: 2016-08-01 03:04 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
patch to fix this issue (2.00 KB, patch)
2016-06-25 18:12 UTC, Tobias Stoeckmann 		Details | Splinter Review
View All

Description Tobias Stoeckmann 2016-06-25 18:12:00 UTC 
Created attachment 124720 [details] [review]
patch to fix this issue

The function strncpy() does not guarantee to nul terminate the
destination. In most cases, this cannot be triggered, but it is also
used to parse user environment variables. These are allowed to be longer
than 1023 characters, effectively resulting in an unterminated string.

I've adjusted other places as well, because it won't hurt.
Comment 1 haihao 2016-07-27 07:33:17 UTC 
--- a/va/va_trace.c
+++ b/va/va_trace.c
@@ -546,6 +546,7 @@ static int open_tracing_specil_file(
     FILE *fp = NULL;
 
     strncpy(env_value, fn_env, 1024);
+    env_value[0] = '\0';

should the index be 1023 instead of 0?
Comment 2 Tobias Stoeckmann 2016-07-27 20:25:20 UTC 
Oops, yes of course. It has to be 1023 instead of 0, thanks for spotting. :)
Comment 3 haihao 2016-08-01 03:04:58 UTC 
commit 1517fd276e12cac14c018d5a30792177eb6c59de
Author: Tobias Stoeckmann <tobias@stoeckmann.org>
Date:   Sat Jun 25 20:08:31 2016 +0200

    Properly terminate parsed environment values with '\0'.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.