You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by st...@apache.org on 2015/01/16 20:25:46 UTC

svn commit: r1652499 - /subversion/trunk/subversion/libsvn_fs_x/util.c

Author: stefan2
Date: Fri Jan 16 19:25:45 2015
New Revision: 1652499

URL: http://svn.apache.org/r1652499
Log:
Fix a theoretical overflow issue with the path constructor buffers.

Those buffers are large enough to never overflow under correct usage.
However, we use strncpy to prevent overflow even under faulty conditions.
If that function hits the buffer limit however, it will not append a NUL.
That, in turn, would result in an unbounded read later.

* subversion/libsvn_fs_x/util.c
  (construct_shard_sub_path,
   construct_txn_path,
   construct_proto_rev_path): Ensure that buffer content is NUL-terminated.

Modified:
    subversion/trunk/subversion/libsvn_fs_x/util.c

Modified: subversion/trunk/subversion/libsvn_fs_x/util.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_fs_x/util.c?rev=1652499&r1=1652498&r2=1652499&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_fs_x/util.c (original)
+++ subversion/trunk/subversion/libsvn_fs_x/util.c Fri Jan 16 19:25:45 2015
@@ -160,7 +160,7 @@ construct_shard_sub_path(svn_fs_t *fs,
                          apr_pool_t *result_pool)
 {
   svn_fs_x__data_t *ffd = fs->fsap_data;
-  char buffer[SVN_INT64_BUFFER_SIZE + sizeof(PATH_EXT_PACKED_SHARD)];
+  char buffer[SVN_INT64_BUFFER_SIZE + sizeof(PATH_EXT_PACKED_SHARD)] = { 0 };
 
   /* Select the appropriate parent path constant. */
   const char *parent = revprops ? PATH_REVPROPS_DIR : PATH_REVS_DIR;
@@ -288,7 +288,7 @@ construct_txn_path(svn_fs_t *fs,
                    apr_pool_t *result_pool)
 {
   /* Construct the transaction directory name without temp. allocations. */
-  char buffer[SVN_INT64_BUFFER_SIZE + sizeof(PATH_EXT_TXN)];
+  char buffer[SVN_INT64_BUFFER_SIZE + sizeof(PATH_EXT_TXN)] = { 0 };
   apr_size_t len = svn__ui64tobase36(buffer, txn_id);
   strncpy(buffer + len, PATH_EXT_TXN, sizeof(buffer) - len - 1);
 
@@ -408,7 +408,7 @@ construct_proto_rev_path(svn_fs_t *fs,
                          apr_pool_t *result_pool)
 {
   /* Construct the file name without temp. allocations. */
-  char buffer[SVN_INT64_BUFFER_SIZE + sizeof(PATH_EXT_REV_LOCK)];
+  char buffer[SVN_INT64_BUFFER_SIZE + sizeof(PATH_EXT_REV_LOCK)] = { 0 };
   apr_size_t len = svn__ui64tobase36(buffer, txn_id);
   strncpy(buffer + len, suffix, sizeof(buffer) - len - 1);