summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPablo Barciela <[email protected]>2019-03-20 11:15:17 +0100
committerPablo Barciela <[email protected]>2019-03-21 00:49:04 +0100
commitc16eee505ba1eb4b78a2ae9b1af456b2687250f2 (patch)
tree0869ca9226a03bfeb358f2e1b80196b00d843463
parentd163a7e4e08d0b4e09a091db613f4ce7a9bf8bb9 (diff)
downloadengrampa-c16eee505ba1eb4b78a2ae9b1af456b2687250f2.tar.bz2
engrampa-c16eee505ba1eb4b78a2ae9b1af456b2687250f2.tar.xz
[Security] fr-process: avoid 'strcpy' and 'strcat'
Use 'g_strlcpy' instead of 'strcpy', and 'g_strlcat' instead of 'strcat' Fixes Clang static analyzer warnings: fr-process.c:696:5: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 strcpy(rarfile, argv[2]); ^~~~~~ fr-process.c:698:5: warning: Call to function 'strcat' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcat'. CWE-119 strcat(rarfile, "part1.rar"); ^~~~~~ fr-process.c:705:32: warning: Out of bound memory access (accessed memory precedes memory block) rarfile[strlen(rarfile)-5]=0; ~~~~~~~~~~~~~~~~~~~~~~~~~~^~
-rw-r--r--src/fr-process.c32
1 files changed, 16 insertions, 16 deletions
diff --git a/src/fr-process.c b/src/fr-process.c
index c65c02e..9404089 100644
--- a/src/fr-process.c
+++ b/src/fr-process.c
@@ -688,32 +688,32 @@ start_current_command (FrProcess *process)
for (scan = info->args; scan; scan = scan->next) {
argv[i++] = scan->data;
- if (g_str_has_prefix(commandline, "mv")) {
+ if (g_str_has_prefix (commandline, "mv")) {
- if ((i==3) && (!g_file_test(argv[2], G_FILE_TEST_EXISTS)) && (!fixname)) {
- char rarfile[strlen(argv[2])+7];
+ if ((i==3) && (!g_file_test (argv[2], G_FILE_TEST_EXISTS)) && (!fixname)) {
+ char rarfile[strlen (argv[2]) + 7];
- strcpy(rarfile, argv[2]);
- rarfile[strlen(rarfile)-3]=0;
- strcat(rarfile, "part1.rar");
+ g_strlcpy (rarfile, argv[2], sizeof (rarfile));
+ rarfile[strlen (rarfile) - 3] = 0;
+ g_strlcat (rarfile, "part1.rar", sizeof (rarfile));
- if (g_str_has_suffix(argv[2], ".7z")) {
- commandline = g_strconcat(commandline, " ", g_shell_quote(argv[2]), ".*", NULL);
+ if (g_str_has_suffix (argv[2], ".7z")) {
+ commandline = g_strconcat (commandline, " ", g_shell_quote (argv[2]), ".*", NULL);
fixname = TRUE;
}
- else if (g_str_has_suffix(argv[2], ".rar")) {
- rarfile[strlen(rarfile)-5]=0;
- commandline = g_strconcat(commandline, " ", g_shell_quote(rarfile), "*.rar", NULL);
+ else if (g_str_has_suffix (argv[2], ".rar")) {
+ rarfile[strlen(rarfile) - 5] = 0;
+ commandline = g_strconcat (commandline, " ", g_shell_quote (rarfile), "*.rar", NULL);
fixname = TRUE;
}
}
else if ((i==4) && (fixname))
- commandline = g_strconcat(commandline, " \"$(dirname ", g_shell_quote(argv[3]), ")\"", NULL);
+ commandline = g_strconcat (commandline, " \"$(dirname ", g_shell_quote (argv[3]), ")\"", NULL);
else
- commandline = g_strconcat(commandline, " ", argv[(i-1)], NULL);
+ commandline = g_strconcat (commandline, " ", argv[(i - 1)], NULL);
}
- else if (g_str_has_prefix(argv[0], "mv")) {
- commandline = g_strconcat(commandline, "mv", NULL);
+ else if (g_str_has_prefix (argv[0], "mv")) {
+ commandline = g_strconcat (commandline, "mv", NULL);
}
}
@@ -736,7 +736,7 @@ start_current_command (FrProcess *process)
}
#endif
- if ((fixname) && (system(commandline) != 0))
+ if ((fixname) && (system (commandline) != 0))
g_warning ("The files could not be move: %s\n", commandline);
if (info->begin_func != NULL)