Fix Coverity issue OVERRUN

IlanTruanovsky · IlanTruanovsky · commit 71cf792f69cc · 2023-01-17T11:23:41.000-08:00
lib/pkg_editor/src/pkg_editor.c:1641:5:
  Type: Out-of-bounds read (OVERRUN)

lib/pkg_editor/src/pkg_editor.c:1584:3:
  1. path: Condition "buffer != NULL", taking true branch. lib/pkg_editor/src/pkg_editor.c:1585:5:
  2. path: Condition "input == NULL", taking true branch. lib/pkg_editor/src/pkg_editor.c:1585:5:
  3. path: Falling through to end of if statement. lib/pkg_editor/src/pkg_editor.c:1588:3:
  4. path: Falling through to end of if statement. lib/pkg_editor/src/pkg_editor.c:1594:3:
  5. path: Condition "ret != 0", taking false branch. lib/pkg_editor/src/pkg_editor.c:1610:3:
  6. path: Condition "z_info.strm.avail_in &gt; 0", taking true branch. lib/pkg_editor/src/pkg_editor.c:1612:5:
  7. path: Condition "!read_data(&amp;info, 20UL /* sizeof (info) */, &amp;z_info, input)", taking false branch. lib/pkg_editor/src/pkg_editor.c:1617:5:
  8. path: Condition "info.magic != 3203399403U", taking false branch. lib/pkg_editor/src/pkg_editor.c:1625:5:
  9. path: Condition "info.kind == PACK_END", taking false branch. lib/pkg_editor/src/pkg_editor.c:1630:5:
  10. path: Condition "!read_data(name, info.name_length, &amp;z_info, input)", taking false branch. lib/pkg_editor/src/pkg_editor.c:1638:5:
  11. path: Condition "12288UL /* 3 * 4096 */ &lt; out_dir_length", taking true branch. lib/pkg_editor/src/pkg_editor.c:1638:5:
  12. cond_at_least: Checking "12288UL &lt; out_dir_length" implies that "out_dir_length" is at least 12289 on the true branch. lib/pkg_editor/src/pkg_editor.c:1641:5:
  13. overrun-local: Overrunning array of 12288 bytes at byte offset 12290 by dereferencing pointer "full_name + out_dir_length + 1". [Note: The source code implementation of the function has been overridden by a builtin model.]
diff --git a/lib/pkg_editor/src/pkg_editor.c b/lib/pkg_editor/src/pkg_editor.c
@@ -1642,11 +1642,12 @@ static int acl_pkg_unpack_buffer_or_file(const char *buffer, size_t buffer_size,
     }
 
     // Generate the full name, truncate or zero pad to avoid buffer overflow
-    if (FULL_NAME_LEN < out_dir_length) {
+    if (FULL_NAME_LEN <= out_dir_length + 1) {
       fprintf(stderr, "%s: Directory name too long\n", routine_name);
+    } else {
+      strncpy(full_name + out_dir_length + 1, name,
+              FULL_NAME_LEN - out_dir_length - 1);
     }
-    strncpy(full_name + out_dir_length + 1, name,
-            FULL_NAME_LEN - out_dir_length - 1);
     if (full_name[FULL_NAME_LEN - 1] != '\0') {
       full_name[FULL_NAME_LEN - 1] = '\0';
     }

Original file line number	Diff line number	Diff line change
`@@ -1642,11 +1642,12 @@ static int acl_pkg_unpack_buffer_or_file(const char *buffer, size_t buffer_size,`
`1642`	`1642`	`}`
`1643`	`1643`
`1644`	`1644`	`// Generate the full name, truncate or zero pad to avoid buffer overflow`
`1645`		`- if (FULL_NAME_LEN < out_dir_length) {`
	`1645`	`+ if (FULL_NAME_LEN <= out_dir_length + 1) {`
`1646`	`1646`	`fprintf(stderr, "%s: Directory name too long\n", routine_name);`
	`1647`	`+ } else {`
	`1648`	`+ strncpy(full_name + out_dir_length + 1, name,`
	`1649`	`+ FULL_NAME_LEN - out_dir_length - 1);`
`1647`	`1650`	`}`
`1648`		`- strncpy(full_name + out_dir_length + 1, name,`
`1649`		`- FULL_NAME_LEN - out_dir_length - 1);`
`1650`	`1651`	`if (full_name[FULL_NAME_LEN - 1] != '\0') {`
`1651`	`1652`	`full_name[FULL_NAME_LEN - 1] = '\0';`
`1652`	`1653`	`}`