On Fri, Aug 30, 2024 at 5:39 AM david kerns <david.t.ke...@gmail.com> wrote:
> > On Fri, Aug 30, 2024 at 3:01 AM anonymous <invalid.nore...@gnu.org> wrote: > >> >> Indicating that >> https://git.savannah.gnu.org/cgit/screen.git/tree/src/attacher.c#n465 >> causes >> the crash. >> >> > unsolicited input :) > > as I read it: > > p = m.m.command.cmd; > n = 0; > for (; *av && n < MAXARGS - 1; ++av, ++n) { > size_t len; > len = strlen(*av) + 1; > if (p + len >= m.m.command.cmd + ARRAY_SIZE(m.m.command.cmd) - > 1) > break; > strncpy(p, *av, MAXPATHLEN); > p += len; > } > > The if condition above the strncpy will dynamically protect against an actual > buffer overflow. However, the third argument to strncpy is too big and needs > to be decreased by (len+1) > > ... and actually, not decreased until after the copy... p = m.m.command.cmd; n = 0; size_t maxcplen = ARRAY_SIZE(m.m.command.cmd) - 1; for (; *av && n < MAXARGS - 1; ++av, ++n) { size_t len; len = strlen(*av) + 1; if (p + len >= m.m.command.cmd + ARRAY_SIZE(m.m.command.cmd) - 1) break; strncpy(p, *av, maxcplen); p += len; maxcplen -= len; }
