You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
short-chain strlcpy bound fixes via strlcpy_append
Apply strlcpy_append (commit 78c52ab) to seven sites flagged
in the strlcpy-misuse audit, all sharing the same shape:
_len = strlcpy(dst, src1, sizeof(dst));
dst[_len] = c1;
dst[++_len] = c2;
...
strlcpy(dst + _len, src2, sizeof(dst) - _len);
None of these had a bound on _len. When src1 was longer
than sizeof(dst) - 1, strlcpy returned strlen(src1) >=
sizeof(dst) and:
- the dst[_len], dst[++_len], ... character writes ran
off the end of dst (stack buffer overflow);
- the trailing strlcpy got len - _len which underflowed
size_t, producing an unbounded copy.
Sites:
menu/drivers/materialui.c:8090 - "Draw message box".
dst is msg[NAME_MAX_LENGTH] which is 128 on Xbox1, 3DS,
PSP, PS2, GameCube, Wii, WiiU, PS3, Emscripten and 256
elsewhere. src1 is menu_st->input_dialog_kb_label[256]
(always 256 regardless of platform). On the small-
NAME_MAX_LENGTH platforms a long label drove _len up to
~255 and the chain wrote up to 127 bytes past the stack
frame. Reachable from any input dialog.
tasks/task_http.c:495 and tasks/task_http_emscripten.c:312 -
download status string. dst is tmp[NAME_MAX_LENGTH];
src1 is the localized "Downloading" string. Same
primitive on small-NAME_MAX_LENGTH platforms when a
translation pushed the prefix close to the cap.
menu/cbs/menu_cbs_sublabel.c:2164 - core backup CRC sublabel.
The chain wrote 8 character bytes ("00000000") plus a NUL
after the localized "Backup CRC: " prefix. dst is the
caller's s/len; if a translation pushed the prefix close
to len, the 9 byte writes ran past the caller's buffer.
steam/steam.c:449/471/493 - rich-presence content strings.
Three near-identical cases (CONTENT_SYSTEM, CONTENT_CORE,
CONTENT_SYSTEM_CORE). Each builds "LABEL (CONTENT)" or
"LABEL (N/A)" with hand-unrolled writes of " (", "N/A",
"/", "A", ")", "\0" at offsets _len + N. dst is
content[PATH_MAX_LENGTH] (512 on small platforms, 4096
elsewhere) and the per-character write offsets reached
_len + 12 on the SYSTEM_CORE variant; long labels OOB-
wrote up to 12 bytes past content.
Replace each chain with a sequence of strlcpy_append calls
on a single rolling cursor, with the helper handling the
bound check at every step. No functional change at the
buffer-fits-comfortably end; on small buffers the new code
truncates cleanly instead of stack-overflowing.
No new tests -- the strlcpy_append regression test from
commit 78c52ab covers the helper's contract; these are
just additional users.
0 commit comments