From: Ray Strode <rstrode@redhat.com>
Date: Fri, 22 Dec 2023 15:12:32 +0000 (-0500)
Subject: main: Fix out of bounds write
X-Git-Tag: 23.356.9~1^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0dd39b916bbcba7e0d06719d1aecf41bb3f40f2b;p=thirdparty%2Fplymouth.git

main: Fix out of bounds write

There's currently an out of bounds write when copying dmesg to to
the boot buffer.

This is because there's a newline and a terminating NUL and only
one of the two was being accounted for.

This commit fixes the problem by dropping strcat/strcpy and using
printf style functions instead.

Spotted by Ilya K.
---

diff --git a/src/main.c b/src/main.c
index 09ca6854..ead5ec5a 100644
--- a/src/main.c
+++ b/src/main.c
@@ -1465,16 +1465,12 @@ void
 on_new_kmsg_message (state_t        *state,
                      kmsg_message_t *kmsg_message)
 {
-        long size = strlen (kmsg_message->message) + 1;
-        char output[size];
+        ply_buffer_append (state->boot_buffer, "%s\n", kmsg_message->message);
 
-        strcpy (output, kmsg_message->message);
-        strcat (output, "\n");
-
-        ply_buffer_append_bytes (state->boot_buffer, output, size);
-
-        if (state->boot_splash != NULL)
-                ply_boot_splash_update_output (state->boot_splash, output, size);
+        if (state->boot_splash != NULL) {
+                ply_boot_splash_update_output (state->boot_splash, kmsg_message->message, strlen (kmsg_message->message));
+                ply_boot_splash_update_output (state->boot_splash, "\n", 1);
+        }
 }
 
 static bool