[Mesa-dev] [PATCH v6 2/3] gallium/hud: Prevent buffer overflow in hud_thread_counter_install

Robert Foss robert.foss at collabora.com
Wed Jul 5 06:57:40 UTC 2017 

Switch to using util_strlcpy to avoid potential overflow of
name array in struct hud_graph.

Also extract the name element length into a define so that it can
be used for strncpy et al.

Coverity-id: 1413761

Signed-off-by: Robert Foss <robert.foss at collabora.com>
---
Changes since v3:
  Matt Turner <mattst88 at gmail.com>
   - Switch from util_strncpy to util_strlcpy    
    
Changes since v2:
  Brian Paul <brianp at vmware.com>
    - Combined patch with precious patch that only added define
    - Switched to using new util_strncpy function

 src/gallium/auxiliary/hud/hud_cpu.c     | 3 ++-
 src/gallium/auxiliary/hud/hud_private.h | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/gallium/auxiliary/hud/hud_cpu.c b/src/gallium/auxiliary/hud/hud_cpu.c
index 4caaab6977..755f8a08bb 100644
--- a/src/gallium/auxiliary/hud/hud_cpu.c
+++ b/src/gallium/auxiliary/hud/hud_cpu.c
@@ -33,6 +33,7 @@
 #include "os/os_thread.h"
 #include "util/u_memory.h"
 #include "util/u_queue.h"
+#include "util/u_string.h"
 #include <stdio.h>
 #include <inttypes.h>
 #ifdef PIPE_OS_WINDOWS
@@ -362,7 +363,7 @@ void hud_thread_counter_install(struct hud_pane *pane, const char *name,
    if (!gr)
       return;
 
-   strcpy(gr->name, name);
+   util_strlcpy(gr->name, name, HUD_GRAPH_NAME_LEN);
 
    gr->query_data = CALLOC_STRUCT(counter_info);
    if (!gr->query_data) {
diff --git a/src/gallium/auxiliary/hud/hud_private.h b/src/gallium/auxiliary/hud/hud_private.h
index 2b1717d2c4..3a958d3146 100644
--- a/src/gallium/auxiliary/hud/hud_private.h
+++ b/src/gallium/auxiliary/hud/hud_private.h
@@ -87,6 +87,7 @@ struct hud_context {
    bool has_srgb;
 };
 
+#define HUD_GRAPH_NAME_LEN 128
 struct hud_graph {
    /* initialized by common code */
    struct list_head head;
@@ -95,7 +96,7 @@ struct hud_graph {
    float *vertices; /* ring buffer of vertices */
 
    /* name and query */
-   char name[128];
+   char name[HUD_GRAPH_NAME_LEN];
    void *query_data;
    void (*begin_query)(struct hud_graph *gr);
    void (*query_new_value)(struct hud_graph *gr);
-- 
2.11.0

More information about the mesa-dev mailing list