From ce811e78882d9f31636351dfe65351f4ded52c74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= Date: Sat, 18 Mar 2023 15:45:44 +0200 Subject: intel: Fix some theoretical buffer overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Looks to me like the theoretical max the sprintf()s need here is about 34+4+9+sizeof(de->d_name) bytes. Let's just make that 64+sizeof(de->d_name) for simplicity. This shuts up the compiler: ../src/intel_device.c: In function ‘__intel_open_device__pci’: ../src/intel_device.c:387:60: warning: ‘%s’ directive writing up to 255 bytes into a region of size 247 [-Wformat-overflow=] 387 | sprintf(path + base + 4, "/dev/dri/%s", de->d_name); | ^~ ../src/intel_device.c:387:25: note: ‘sprintf’ output between 10 and 265 bytes into a destination of size 256 387 | sprintf(path + base + 4, "/dev/dri/%s", de->d_name); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../src/intel_device.c:392:54: warning: ‘/dev’ directive writing 4 bytes into a region of size between 0 and 255 [-Wformat-overflow=] 392 | sprintf(path + base + 3, "/%s/dev", de->d_name); | ^~~~ ../src/intel_device.c:392:25: note: ‘sprintf’ output between 6 and 261 bytes into a destination of size 256 392 | sprintf(path + base + 3, "/%s/dev", de->d_name); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Ville Syrjälä --- src/intel_device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/intel_device.c b/src/intel_device.c index f28d3be1..2ce2e9ad 100644 --- a/src/intel_device.c +++ b/src/intel_device.c @@ -335,9 +335,9 @@ static int __intel_open_device__major_minor(int _major, int _minor) static int __intel_open_device__pci(const struct pci_device *pci) { struct stat st; - char path[256]; - DIR *dir; struct dirent *de; + char path[64+sizeof(de->d_name)]; + DIR *dir; int base; int fd; -- cgit v1.2.3