There is a chance that the input string is larger than size, and on VMS,
authorRichard Levitte <levitte@openssl.org>
Wed, 29 May 2002 08:31:39 +0000 (08:31 +0000)
committerRichard Levitte <levitte@openssl.org>
Wed, 29 May 2002 08:31:39 +0000 (08:31 +0000)
this wasn't checked and could possibly be exploitable (slim chance, but still)

apps/apps.c

index e797796..aca750b 100644 (file)
@@ -310,9 +310,16 @@ void program_name(char *in, char *out, int size)
 
        q=strrchr(p,'.');
        if (q == NULL)
-               q = in+size;
-       strncpy(out,p,q-p);
-       out[q-p]='\0';
+               q = p + strlen(p);
+       strncpy(out,p,size-1);
+       if (q-p >= size)
+               {
+               out[size-1]='\0';
+               }
+       else
+               {
+               out[q-p]='\0';
+               }
        }
 #else
 void program_name(char *in, char *out, int size)