patch 9.0.2142: [security]: stack-buffer-overflow in option callback functions Problem: [security]: stack-buffer-overflow in option callback functions Solution: pass size of errbuf down the call stack, use snprintf() instead of sprintf() We pass the error buffer down to the option callback functions, but in some parts of the code, we simply use sprintf(buf) to write into the error buffer, which can overflow. So let's pass down the length of the error buffer and use sprintf(buf, size) instead. Reported by @henices, thanks! Signed-off-by: Christian Brabandt <cb@256bit.org>

commit: b39b240c386a5a29241415541f1c99e2e6b8ce47 [log] [tgz]
author: Christian Brabandt <cb@256bit.org> Wed Nov 29 11:34:05 2023 +0100
committer: Christian Brabandt <cb@256bit.org> Fri Dec 01 18:58:51 2023 +0100
tree: 25ac23d0f18efb91f00bc053d326fa8549e9d484
parent: 0fb375aae608d7306b4baf9c1f906961f32e2abf [diff] [blame]
diff --git a/src/map.c b/src/map.c
index 5988445..98785e7 100644
--- a/src/map.c
+++ b/src/map.c

@@ -3114,7 +3114,7 @@
 		    {
 			if (p[0] != ',')
 			{
-			    sprintf(args->os_errbuf,
+			    snprintf(args->os_errbuf, args->os_errbuflen,
 				    _(e_langmap_extra_characters_after_semicolon_str),
 				    p);
 			    return args->os_errbuf;
commit	b39b240c386a5a29241415541f1c99e2e6b8ce47	[log] [tgz]
author	Christian Brabandt <cb@256bit.org>	Wed Nov 29 11:34:05 2023 +0100
committer	Christian Brabandt <cb@256bit.org>	Fri Dec 01 18:58:51 2023 +0100
tree	25ac23d0f18efb91f00bc053d326fa8549e9d484
parent	0fb375aae608d7306b4baf9c1f906961f32e2abf [diff] [blame]