44 lines
1.2 KiB
Diff
44 lines
1.2 KiB
Diff
fix a buffer overflow in the query function [#218983]
|
|
rh#212833
|
|
|
|
--- lib/query.c.orig 2006-11-24 13:24:30.000000000 +0000
|
|
+++ lib/query.c 2006-11-24 13:43:47.000000000 +0000
|
|
@@ -133,8 +133,10 @@ int showQueryPackage(QVA_t qva, rpmts ts
|
|
int rc = 0; /* XXX FIXME: need real return code */
|
|
int nonewline = 0;
|
|
int i;
|
|
+ size_t tsize;
|
|
|
|
- te = t = xmalloc(BUFSIZ);
|
|
+ tsize = BUFSIZ * 2;
|
|
+ te = t = xmalloc(tsize);
|
|
/*@-boundswrite@*/
|
|
*te = '\0';
|
|
/*@=boundswrite@*/
|
|
@@ -147,8 +149,9 @@ int showQueryPackage(QVA_t qva, rpmts ts
|
|
size_t tb = (te - t);
|
|
size_t sb = strlen(str);
|
|
|
|
- if (sb >= (BUFSIZ - tb)) {
|
|
- t = xrealloc(t, BUFSIZ+sb);
|
|
+ if (sb > 0) {
|
|
+ tsize += sb;
|
|
+ t = xrealloc(t, tsize);
|
|
te = t + tb;
|
|
}
|
|
/*@-boundswrite@*/
|
|
@@ -261,6 +264,13 @@ int showQueryPackage(QVA_t qva, rpmts ts
|
|
}
|
|
/*@=boundswrite@*/
|
|
|
|
+ if (strlen(fn) + BUFSIZ > tsize) {
|
|
+ size_t tb = (te - t);
|
|
+ tsize = strlen(fn) + BUFSIZ * 2;
|
|
+ t = xrealloc(t, tsize);
|
|
+ te = t + tb;
|
|
+ }
|
|
+
|
|
if (qva->qva_flags & QUERY_FOR_DUMPFILES) {
|
|
sprintf(te, "%s %d %d %s 0%o ", fn, (int)fsize, fmtime, fmd5, fmode);
|
|
te += strlen(te);
|