1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
Author: Ole Streicher <olebole@debian.org>
Description: Fix an off-by-one problem with strcpy
Sometimes a string is copied with the length of 8 into an char array with a
length of 8, as found in wcs.c, line 392: wcs->ptype is char[8], and ctype1
may be "DEC--TAN". This will cause an overwriting of the next entry, or if
this is protected (as in Debian) it will cause a crash.
--- a/libwcs/wcs.c
+++ b/libwcs/wcs.c
@@ -388,8 +388,8 @@
if (!strncmp (ctype1, "LONG",4))
strncpy (ctype1, "XLON",4);
- strcpy (wcs->ctype[0], ctype1);
- strcpy (wcs->ptype, ctype1);
+ strncpy (wcs->ctype[0], ctype1, 16);
+ strncpy (wcs->ptype, ctype1, 8);
/* Linear coordinates */
if (!strncmp (ctype1,"LINEAR",6)) {
|