[Spice-devel] [spice-common 3/8] coverity: avoid out of bounds access

Fabiano FidĂȘncio fidencio at redhat.com
Mon Apr 25 07:06:07 UTC 2016


On Mon, Apr 4, 2016 at 10:29 AM, Christophe Fergeau <cfergeau at redhat.com> wrote:
> On Mon, Apr 04, 2016 at 10:03:34AM +0200, Fabiano FidĂȘncio wrote:
>> We are allocating insufficient memory for the terminating null of the
>> string.
>> ---
>>  common/ssl_verify.c | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/common/ssl_verify.c b/common/ssl_verify.c
>> index 601252e..4292ddf 100644
>> --- a/common/ssl_verify.c
>> +++ b/common/ssl_verify.c
>> @@ -283,8 +283,8 @@ static X509_NAME* subject_to_x509_name(const char *subject, int *nentries)
>>      spice_return_val_if_fail(subject != NULL, NULL);
>>      spice_return_val_if_fail(nentries != NULL, NULL);
>>
>> -    key = (char*)alloca(strlen(subject));
>> -    val = (char*)alloca(strlen(subject));
>> +    key = (char*)alloca(strlen(subject) + 1);
>> +    val = (char*)alloca(strlen(subject) + 1);
>>      in_subject = X509_NAME_new();
>
> Can try to write too many chars to the string in practice? We expect the
> string to contain a '=', so key/state will be smaller than subject. If
> there is no '=' in the string, we don't try to add a '\0' to 'key' (I
> did not check the 'val' code path).

Makes sense. I'll drop this patch.

>
> Christophe


More information about the Spice-devel mailing list