fix buffer overrun in some calls to sscanf

Reported-by: Sergei Antonov <saproj@gmail.com>
Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/disk-utils/blockdev.c b/disk-utils/blockdev.c
index ba06ad0355b8af9c5bf431bada4a200857bba3e2..a9e8833ffa3719ab8a5db001cfb4b48cce58d48c 100644 (file)
--- a/disk-utils/blockdev.c
+++ b/disk-utils/blockdev.c
@@ -411,7 +411,7 @@ static void report_all_devices(void)
 {
        FILE *procpt;
        char line[200];
-       char ptname[200];
+       char ptname[200 + 1];
        char device[210];
        int ma, mi, sz;
 

diff --git a/fdisks/fdisk.c b/fdisks/fdisk.c
index 748badf473f6ddc59a2134fbd36cc4de6979d3c9..4d5ab02cebdf07b88c2d30981ae34680a8c8e52f 100644 (file)
--- a/fdisks/fdisk.c
+++ b/fdisks/fdisk.c
@@ -1819,7 +1819,7 @@ static void
 print_all_partition_table_from_option(unsigned long sector_size)
 {
        FILE *procpt;
-       char line[128], ptname[128], devname[256];
+       char line[128 + 1], ptname[128 + 1], devname[256];
        int ma, mi;
        unsigned long long sz;
 

diff --git a/fdisks/sfdisk.c b/fdisks/sfdisk.c
index c9853867a3b9fd493071251393ee11ecfde8e7c8..15c6d331ff479d451da2249a2b31c8858c112844 100644 (file)
--- a/fdisks/sfdisk.c
+++ b/fdisks/sfdisk.c
@@ -2508,7 +2508,7 @@ static int is_ide_cdrom_or_tape(char *device)
 static char *
 nextproc(FILE * procf) {
     static char devname[256];
-    char line[1024], ptname[128];
+    char line[1024], ptname[128 + 1];
     int ma, mi;
     unsigned long long sz;
 

diff --git a/lib/loopdev.c b/lib/loopdev.c
index b759f0c28aee414f8435e466f5bbe880ee5a3802..b644ae50c9939d642ae0d08b330b97cfe76f9bb4 100644 (file)
--- a/lib/loopdev.c
+++ b/lib/loopdev.c
@@ -478,7 +478,7 @@ static int loopcxt_next_from_proc(struct loopdev_cxt *lc)
 
        while (fgets(buf, sizeof(buf), iter->proc)) {
                unsigned int m;
-               char name[128];
+               char name[128 + 1];
 
 
                if (sscanf(buf, " %u %*s %*s %128[^\n ]",

diff --git a/lib/sysfs.c b/lib/sysfs.c
index ad90c19c831991fac4909c4e96e402ad658196e2..7455a30f7c085ec359b4efb2610dc1d48b5703d4 100644 (file)
--- a/lib/sysfs.c
+++ b/lib/sysfs.c
@@ -373,7 +373,7 @@ int sysfs_read_int(struct sysfs_cxt *cxt, const char *attr, int *res)
 char *sysfs_strdup(struct sysfs_cxt *cxt, const char *attr)
 {
        char buf[1024];
-       return sysfs_scanf(cxt, attr, "%1024[^\n]", buf) == 1 ?
+       return sysfs_scanf(cxt, attr, "%1023[^\n]", buf) == 1 ?
                                                strdup(buf) : NULL;
 }
 

diff --git a/libblkid/src/devname.c b/libblkid/src/devname.c
index 4a08452d8c94c93a71efa7b397e67de2031a79fd..17a9e507063921d1905bab38aa201711151cc0de 100644 (file)
--- a/libblkid/src/devname.c
+++ b/libblkid/src/devname.c
@@ -420,7 +420,7 @@ static int probe_all(blkid_cache cache, int only_if_new)
 {
        FILE *proc;
        char line[1024];
-       char ptname0[128], ptname1[128], *ptname = 0;
+       char ptname0[128 + 1], ptname1[128 + 1], *ptname = 0;
        char *ptnames[2];
        dev_t devs[2];
        int ma, mi;

diff --git a/libblkid/src/devno.c b/libblkid/src/devno.c
index 2996343a0583e5ffa90106f97547ac2e1f58ba19..3024beefa77bce8685b08ab7d03591927d4e5dda 100644 (file)
--- a/libblkid/src/devno.c
+++ b/libblkid/src/devno.c
@@ -333,7 +333,7 @@ int blkid_driver_has_major(const char *drvname, int major)
 
        while (fgets(buf, sizeof(buf), f)) {
                int maj;
-               char name[64];
+               char name[64 + 1];
 
                if (sscanf(buf, "%d %64[^\n ]", &maj, name) != 2)
                        continue;