From 4b723cc7fe0ac65146bda8f820c263fdd4e8a603 Mon Sep 17 00:00:00 2001 From: truckman Date: Wed, 1 Jun 2016 22:39:15 +0000 Subject: [PATCH] MFC r300705 (compensating for fortune moving from games to usr.bin) Avoid buffer overflow when copying the input file name and appending .dat. Check the return value from fread() to be sure that it was successful. Reported by: Coverity CID: 1006709, 1009452 git-svn-id: svn://svn.freebsd.org/base/stable/10@301178 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- games/fortune/unstr/unstr.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/games/fortune/unstr/unstr.c b/games/fortune/unstr/unstr.c index f79a0ecc6..77ee1ecce 100644 --- a/games/fortune/unstr/unstr.c +++ b/games/fortune/unstr/unstr.c @@ -86,13 +86,19 @@ main(int argc, char *argv[]) exit(1); } Infile = argv[1]; - strcpy(Datafile, Infile); - strcat(Datafile, ".dat"); + if ((size_t)snprintf(Datafile, sizeof(Datafile), "%s.dat", Infile) >= + sizeof(Datafile)) + errx(1, "%s name too long", Infile); if ((Inf = fopen(Infile, "r")) == NULL) err(1, "%s", Infile); if ((Dataf = fopen(Datafile, "r")) == NULL) err(1, "%s", Datafile); - fread((char *)&tbl, sizeof(tbl), 1, Dataf); + if (fread((char *)&tbl, sizeof(tbl), 1, Dataf) != 1) { + if (feof(Dataf)) + errx(1, "%s read EOF", Datafile); + else + err(1, "%s read", Datafile); + } tbl.str_version = be32toh(tbl.str_version); tbl.str_numstr = be32toh(tbl.str_numstr); tbl.str_longlen = be32toh(tbl.str_longlen); -- 2.42.0