From 258d969a37a15bb8c9793035ccdb7fae5e5699fb Mon Sep 17 00:00:00 2001 From: truckman Date: Thu, 26 May 2016 01:33:24 +0000 Subject: [PATCH] Avoid buffer overflow when copying the input file name and appending .dat. Check the return value from fread() to be sure that it was successful. Reported by: Coverity CID: 1006709, 1009452 MFC after: 1 week --- usr.bin/fortune/unstr/unstr.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/usr.bin/fortune/unstr/unstr.c b/usr.bin/fortune/unstr/unstr.c index f79a0ecc6ebd..77ee1ecce608 100644 --- a/usr.bin/fortune/unstr/unstr.c +++ b/usr.bin/fortune/unstr/unstr.c @@ -86,13 +86,19 @@ main(int argc, char *argv[]) exit(1); } Infile = argv[1]; - strcpy(Datafile, Infile); - strcat(Datafile, ".dat"); + if ((size_t)snprintf(Datafile, sizeof(Datafile), "%s.dat", Infile) >= + sizeof(Datafile)) + errx(1, "%s name too long", Infile); if ((Inf = fopen(Infile, "r")) == NULL) err(1, "%s", Infile); if ((Dataf = fopen(Datafile, "r")) == NULL) err(1, "%s", Datafile); - fread((char *)&tbl, sizeof(tbl), 1, Dataf); + if (fread((char *)&tbl, sizeof(tbl), 1, Dataf) != 1) { + if (feof(Dataf)) + errx(1, "%s read EOF", Datafile); + else + err(1, "%s read", Datafile); + } tbl.str_version = be32toh(tbl.str_version); tbl.str_numstr = be32toh(tbl.str_numstr); tbl.str_longlen = be32toh(tbl.str_longlen);