Fix buffer overflow in dump_ps_page_header - enscript - GNU Enscript
HTML git clone git://thinkerwim.org/enscript.git
DIR Log
DIR Files
DIR Refs
DIR README
DIR LICENSE
---
DIR commit 0acc7b63a1be9f5d02f1a21d6df52cb5a9ce7e58
DIR parent a3e6bf57e48bb7434cdd590732e221fd2e0b4c17
HTML Author: Tim Retout <diocles@gnu.org>
Date: Sat, 28 Mar 2009 13:04:32 +0000
Fix buffer overflow in dump_ps_page_header
Diffstat:
M src/ChangeLog | 3 +++
M src/psgen.c | 32 ++++++++++---------------------
2 files changed, 13 insertions(+), 22 deletions(-)
---
DIR diff --git a/src/ChangeLog b/src/ChangeLog
@@ -5,6 +5,9 @@
disabled in most distros for five years anyway. See
CAN-2004-1185.
+ * psgen.c (dump_ps_page_header): Use basename() and dirname() to
+ split path. Fixes a buffer overflow - see CAN-2004-1186.
+
2009-01-25 Tim Retout <diocles@gnu.org>
* main.c (main): Respect $HOME when searching for ~/.enscriptrc
DIR diff --git a/src/psgen.c b/src/psgen.c
@@ -23,6 +23,7 @@
*/
#include "gsint.h"
+#include <libgen.h>
/*
* Types and definitions.
@@ -2006,8 +2007,7 @@ get_next_token (InputStream *is, double linestart, double linepos,
static void
dump_ps_page_header (char *fname, int empty)
{
- char buf[512];
- char *ftail;
+ char *dirc, *basec, *fdir, *ftail;
int got, i;
char *cp, *cp2;
char *cstr = "%%";
@@ -2016,25 +2016,11 @@ dump_ps_page_header (char *fname, int empty)
/* The N-up printing sub-page. */
nup_subpage = (total_pages - 1) % nup;
- /* Create fdir and ftail. */
- ftail = strrchr (fname, '/');
-
-#if defined(WIN32)
- if (ftail == NULL)
- ftail = strrchr (fname, '\\');
-#endif /* WIN32 */
-
- if (ftail == NULL)
- {
- buf[0] = '\0';
- ftail = fname;
- }
- else
- {
- ftail++;
- strncpy (buf, fname, ftail - fname);
- buf[ftail - fname] = '\0';
- }
+ /* Split fname into fdir and ftail. */
+ dirc = strdup(fname);
+ basec = strdup(fname);
+ fdir = dirname(dirc);
+ ftail = basename(basec);
if (nup > 1)
{
@@ -2180,13 +2166,15 @@ dump_ps_page_header (char *fname, int empty)
OUTPUT ((cofp, "/fname (%s) def\n", cp));
xfree (cp);
- cp = escape_string (buf);
+ cp = escape_string (fdir);
OUTPUT ((cofp, "/fdir (%s) def\n", cp));
xfree (cp);
+ xfree (dirc);
cp = escape_string (ftail);
OUTPUT ((cofp, "/ftail (%s) def\n", cp));
xfree (cp);
+ xfree (basec);
/* Do we have a pending ^@font{} font? */
if (user_fontp)