Merge pull request diffblue#2147 from diffblue/fix-tempdir-buffer-overflow

Daniel Kroening · web-flow · commit c6cbf7c04ffc · 2018-05-03T22:42:41.000+01:00
fix potential non-zero termination of a string buffer
diff --git a/src/goto-cc/compile.cpp b/src/goto-cc/compile.cpp
@@ -226,20 +226,14 @@ bool compilet::add_files_from_archive(
   const std::string &file_name,
   bool thin_archive)
 {
-#ifdef _WIN32
-  char td[MAX_PATH + 1];
-#else
-  char td[] = "goto-cc.XXXXXX";
-#endif
-
   std::stringstream cmd;
   FILE *stream;
 
   std::string tstr = working_directory;
 
   if(!thin_archive)
   {
-    tstr = get_temporary_directory(td);
+    tstr = get_temporary_directory("goto-cc.XXXXXX");
 
     if(tstr=="")
     {
diff --git a/src/util/tempdir.cpp b/src/util/tempdir.cpp
@@ -15,7 +15,7 @@ Author: CM Wintersteiger
 #endif
 
 #include <cstdlib>
-#include <cstring>
+#include <vector>
 
 #if defined(__linux__) || \
     defined(__FreeBSD_kernel__) || \
@@ -34,17 +34,18 @@ std::string get_temporary_directory(const std::string &name_template)
   std::string result;
 
   #ifdef _WIN32
-    DWORD dwBufSize = MAX_PATH;
-    char lpPathBuffer[MAX_PATH];
+    DWORD dwBufSize = MAX_PATH+1;
+    char lpPathBuffer[MAX_PATH+1];
     DWORD dwRetVal = GetTempPathA(dwBufSize, lpPathBuffer);
 
     if(dwRetVal > dwBufSize || (dwRetVal == 0))
       throw "GetTempPath failed"; // NOLINT(readability/throw)
 
-    char t[MAX_PATH];
-
-    strncpy(t, name_template.c_str(), MAX_PATH);
+    // GetTempFileNameA produces <path>\<pre><uuuu>.TMP
+    // where <pre> = "TLO"
+    // Thus, we must make the buffer 1+3+4+1+3=12 characters longer.
 
+    char t[MAX_PATH];
     UINT uRetVal=GetTempFileNameA(lpPathBuffer, "TLO", 0, t);
     if(uRetVal == 0)
       throw "GetTempFileName failed"; // NOLINT(readability/throw)
@@ -64,9 +65,9 @@ std::string get_temporary_directory(const std::string &name_template)
       prefixed_name_template+='/';
     prefixed_name_template+=name_template;
 
-    char t[1000];
-    strncpy(t, prefixed_name_template.c_str(), 1000);
-    const char *td = mkdtemp(t);
+    std::vector<char> t(prefixed_name_template.begin(), prefixed_name_template.end());
+    t.push_back('\0'); // add the zero
+    const char *td = mkdtemp(t.data());
     if(!td)
       throw "mkdtemp failed";
     result=std::string(td);

Original file line number	Diff line number	Diff line change
`@@ -226,20 +226,14 @@ bool compilet::add_files_from_archive(`
`226`	`226`	`const std::string &file_name,`
`227`	`227`	`bool thin_archive)`
`228`	`228`	`{`
`229`		`-#ifdef _WIN32`
`230`		`- char td[MAX_PATH + 1];`
`231`		`-#else`
`232`		`- char td[] = "goto-cc.XXXXXX";`
`233`		`-#endif`
`234`		`-`
`235`	`229`	`std::stringstream cmd;`
`236`	`230`	`FILE *stream;`
`237`	`231`
`238`	`232`	`std::string tstr = working_directory;`
`239`	`233`
`240`	`234`	`if(!thin_archive)`
`241`	`235`	`{`
`242`		`- tstr = get_temporary_directory(td);`
	`236`	`+ tstr = get_temporary_directory("goto-cc.XXXXXX");`
`243`	`237`
`244`	`238`	`if(tstr=="")`
`245`	`239`	`{`