first report of the static analyzer:
A string is copied into the buffer 's' of size 577 without checking its length
first at sparc_attrs.c:95.
Corrections explained:
Record Length Limit: We use strncat to add a line indicating the available
remaining_size. This prevents writing beyond the allocated memory.
Remaining space update: remaining_size is updated after each entry to ensure
that row additions do not cause overflow.
Found by RASU JSC.
Signed-off-by: Anton Moryakov <ant.v.morya...@gmail.com>
---
elfutils/backends/sparc_attrs.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/elfutils/backends/sparc_attrs.c b/elfutils/backends/sparc_attrs.c
index 974e8fb..0ba17c8 100644
--- a/elfutils/backends/sparc_attrs.c
+++ b/elfutils/backends/sparc_attrs.c
@@ -87,12 +87,17 @@ sparc_check_object_attribute (Ebl *ebl __attribute__
((unused)),
}
char *s = name;
+ size_t remaining_size = sizeof(name) - 1;
for (cap = 0; cap < 32; cap++)
if (value & (1U << cap))
{
- if (*s != '\0')
- s = strcat (s, ",");
- s = strcat (s, caps[cap]);
+ if (*s != '\0'&& remaining_size > 1)
+ {
+ strncat(s, ",", remaining_size);
+ remaining_size --;
+ }
+ strncat(s, caps[cap], remaining_size);
+ remaining_size -= strlen(caps[cap]);
}
*value_name = s;
--
2.30.2
