[Cscope-cvs] CVS: cscope/src build.c, 1.11, 1.12 command.c, 1.31, 1.32 dir.c, 1.27, 1.28 display.c, 1.28, 1.29 edit.c, 1.5, 1.6 input.c, 1.14, 1.15 main.c, 1.40, 1.41 constants.h, 1.14, 1.15

[Hans-Bernhard B. <br...@us...>]

Update of /cvsroot/cscope/cscope/src
In directory sc8-pr-cvs4.sourceforge.net:/tmp/cvs-serv19657/src

Modified Files:
	build.c command.c dir.c display.c edit.c input.c main.c 
	constants.h 
Log Message:
Avoid some possible buffer overflows by limiting the size of scanf(%s).

Index: build.c
===================================================================
RCS file: /cvsroot/cscope/cscope/src/build.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -C2 -r1.11 -r1.12
*** build.c	23 Jul 2006 20:59:20 -0000	1.11
--- build.c	20 Aug 2006 15:00:33 -0000	1.12
***************
*** 125,129 ****
      /* see if the name list is the same */
      for (i = 0; i < count; ++i) {
! 	if (fscanf(oldrefs, "%s", oldname) != 1 ||
  	    strnotequal(oldname, names[i])) {
  	    return(NO);
--- 125,129 ----
      /* see if the name list is the same */
      for (i = 0; i < count; ++i) {
! 	if (! fgets(oldname, sizeof(oldname), oldrefs)||
  	    strnotequal(oldname, names[i])) {
  	    return(NO);
***************
*** 233,237 ****
      if ((oldrefs = vpfopen(reffile, "rb")) != NULL
  	&& unconditional == NO
! 	&& fscanf(oldrefs, "cscope %d %s", &fileversion, olddir) == 2 
  	&& (strcmp(olddir, currentdir) == 0 /* remain compatible */
  	    || strcmp(olddir, newdir) == 0)) {
--- 233,237 ----
      if ((oldrefs = vpfopen(reffile, "rb")) != NULL
  	&& unconditional == NO
! 	&& fscanf(oldrefs, "cscope %d %" PATHLEN_STR "s", &fileversion, olddir) == 2 
  	&& (strcmp(olddir, currentdir) == 0 /* remain compatible */
  	    || strcmp(olddir, newdir) == 0)) {
***************
*** 306,310 ****
  	   none have been changed up to the included files */
  	for (i = 0; i < nsrcfiles; ++i) {
! 	    if (fscanf(oldrefs, "%s", oldname) != 1 ||
  		strnotequal(oldname, srcfiles[i]) ||
  		lstat(srcfiles[i], &statstruct) != 0 ||
--- 306,310 ----
  	   none have been changed up to the included files */
  	for (i = 0; i < nsrcfiles; ++i) {
! 	    if (! fgets(oldname, sizeof(oldname), oldrefs) ||
  		strnotequal(oldname, srcfiles[i]) ||
  		lstat(srcfiles[i], &statstruct) != 0 ||
***************
*** 315,319 ****
  	/* the old cross-reference is up-to-date */
  	/* so get the list of included files */
! 	while (i++ < oldnum && fscanf(oldrefs, "%s", oldname) == 1) {
  	    addsrcfile(oldname);
  	}
--- 315,319 ----
  	/* the old cross-reference is up-to-date */
  	/* so get the list of included files */
! 	while (i++ < oldnum && fgets(oldname, sizeof(oldname), oldrefs)) {
  	    addsrcfile(oldname);
  	}

Index: command.c
===================================================================
RCS file: /cvsroot/cscope/cscope/src/command.c,v
retrieving revision 1.31
retrieving revision 1.32
diff -C2 -r1.31 -r1.32
*** command.c	23 Jul 2006 20:59:20 -0000	1.31
--- command.c	20 Aug 2006 15:00:33 -0000	1.32
***************
*** 729,733 ****
      seekline(1);
      for (i = 0; 
! 	 fscanf(refsfound, "%s%*s%s%*[^\n]", newfile, linenum) == 2;
  	 ++i) {
  	/* see if the line is to be changed */
--- 729,733 ----
      seekline(1);
      for (i = 0; 
! 	 fscanf(refsfound, "%" PATHLEN_STR "s%*s%" NUMLEN_STR "s%*[^\n]", newfile, linenum) == 2;
  	 ++i) {
  	/* see if the line is to be changed */

Index: dir.c
===================================================================
RCS file: /cvsroot/cscope/cscope/src/dir.c,v
retrieving revision 1.27
retrieving revision 1.28
diff -C2 -r1.27 -r1.28
*** dir.c	23 Jul 2006 20:59:20 -0000	1.27
--- dir.c	20 Aug 2006 15:00:34 -0000	1.28
***************
*** 331,335 ****
  	/* Parse whitespace-terminated strings in line: */
  	point_in_line = line;
! 	while (sscanf(point_in_line, "%s", path) == 1) {
  	    /* Have to store this length --- inviewpath() will
  	     * modify path, later! */
--- 331,335 ----
  	/* Parse whitespace-terminated strings in line: */
  	point_in_line = line;
! 	while (sscanf(point_in_line, "%" PATHLEN_STR "s", path) == 1) {
  	    /* Have to store this length --- inviewpath() will
  	     * modify path, later! */

Index: display.c
===================================================================
RCS file: /cvsroot/cscope/cscope/src/display.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -C2 -r1.28 -r1.29
*** display.c	23 Jul 2006 20:59:20 -0000	1.28
--- display.c	20 Aug 2006 15:00:34 -0000	1.29
***************
*** 225,229 ****
  	     ++disprefs, ++screenline) {
  	    /* read the reference line */
! 	    if (fscanf(refsfound, "%s%s%s %[^\n]", file, function, 
  		       linenum, tempstring) < 4) {
  		break;
--- 225,229 ----
  	     ++disprefs, ++screenline) {
  	    /* read the reference line */
! 	    if (fscanf(refsfound, "%" PATHLEN_STR "s%" PATHLEN_STR "s%" NUMLEN_STR "s %" TEMPSTRING_LEN_STR "[^\n]", file, function, 
  		       linenum, tempstring) < 4) {
  		break;

Index: edit.c
===================================================================
RCS file: /cvsroot/cscope/cscope/src/edit.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -C2 -r1.5 -r1.6
*** edit.c	27 Mar 2001 14:09:19 -0000	1.5
--- edit.c	20 Aug 2006 15:00:34 -0000	1.6
***************
*** 61,65 ****
  	
  	/* get the file name and line number */
! 	if (fscanf(refsfound, "%s%*s%s", file, linenum) == 2) {
  		edit(file, linenum);	/* edit it */
  	}
--- 61,65 ----
  	
  	/* get the file name and line number */
! 	if (fscanf(refsfound, "%" PATHLEN_STR "s%*s%" NUMLEN_STR "s", file, linenum) == 2) {
  		edit(file, linenum);	/* edit it */
  	}
***************
*** 84,88 ****
  	
  	/* get each file name and line number */
! 	while (fscanf(refsfound, "%s%*s%s%*[^\n]", file, linenum) == 2) {
  		edit(file, linenum);	/* edit it */
  		if (editallprompt == YES) {
--- 84,88 ----
  	
  	/* get each file name and line number */
! 	while (fscanf(refsfound, "%" PATHLEN_STR "s%*s%" NUMLEN_STR "s%*[^\n]", file, linenum) == 2) {
  		edit(file, linenum);	/* edit it */
  		if (editallprompt == YES) {

Index: input.c
===================================================================
RCS file: /cvsroot/cscope/cscope/src/input.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -C2 -r1.14 -r1.15
*** input.c	21 Apr 2006 10:42:15 -0000	1.14
--- input.c	20 Aug 2006 15:00:34 -0000	1.15
***************
*** 291,304 ****
  	if (*out == '\0') {
  	    v = getenv("HOME");
! 	}
! 	else {	/* get the home directory of the login name */
  	    v = logdir(out);
  	}
! 	/* copy the directory name */
! 	if (v != NULL) {
  	    strcpy(out - 1, v);
  	    out += strlen(v) - 1;
! 	}
! 	else {	/* login not found, so ~ must be part of the file name */
  	    out += strlen(out);
  	}
--- 291,303 ----
  	if (*out == '\0') {
  	    v = getenv("HOME");
! 	} else {	/* get the home directory of the login name */
  	    v = logdir(out);
  	}
! 	/* copy the directory name if it isn't too big */
! 	if (v != NULL && strlen(v) < (lastchar - out)) {
  	    strcpy(out - 1, v);
  	    out += strlen(v) - 1;
! 	} else {
! 	    /* login not found, so ~ must be part of the file name */
  	    out += strlen(out);
  	}
***************
*** 319,328 ****
  	    *s = '\0';
  	
! 	    /* get its value */
! 	    if ((v = getenv(out)) != NULL) {
  		strcpy(out - 1, v);
  		out += strlen(v) - 1;
! 	    }
! 	    else {	/* var not found, so $ must be part of the file name */
  		out += strlen(out);
  	    }
--- 318,328 ----
  	    *s = '\0';
  	
! 	    /* get its value, but only it isn't too big */
! 	    if ((v = getenv(out)) != NULL && strlen(v) < (lastchar - out)) {
  		strcpy(out - 1, v);
  		out += strlen(v) - 1;
! 	    } else {
! 		/* var not found, or too big, so assume $ must be part of the
! 		 * file name */
  		out += strlen(out);
  	    }

Index: main.c
===================================================================
RCS file: /cvsroot/cscope/cscope/src/main.c,v
retrieving revision 1.40
retrieving revision 1.41
diff -C2 -r1.40 -r1.41
*** main.c	23 Jul 2006 20:59:20 -0000	1.40
--- main.c	20 Aug 2006 15:00:34 -0000	1.41
***************
*** 102,109 ****
  char	temp1[PATHLEN + 1];	/* temporary file name */
  char	temp2[PATHLEN + 1];	/* temporary file name */
! char	tempdirpv[PATHLEN +1];	/* private temp directory */
  long	totalterms;		/* total inverted index terms */
  BOOL	trun_syms;		/* truncate symbols to 8 characters */
! char	tempstring[8192];	/* use this as a buffer, instead of 'yytext', 
  				 * which had better be left alone */
  char	*tmpdir;		/* temporary directory */
--- 102,109 ----
  char	temp1[PATHLEN + 1];	/* temporary file name */
  char	temp2[PATHLEN + 1];	/* temporary file name */
! char	tempdirpv[PATHLEN + 1];	/* private temp directory */
  long	totalterms;		/* total inverted index terms */
  BOOL	trun_syms;		/* truncate symbols to 8 characters */
! char	tempstring[TEMPSTRING_LEN + 1]; /* use this as a buffer, instead of 'yytext', 
  				 * which had better be left alone */
  char	*tmpdir;		/* temporary directory */
***************
*** 270,273 ****
--- 270,278 ----
  		case 'f':	/* alternate cross-reference file */
  		    reffile = s;
+ 		    if (strlen(reffile) > sizeof(path) - 1) {
+ 			  postfatal("\
+ cscope: reffile too long, cannot be > %d characters\n", sizeof(path) - 1);
+ 			  /* NOTREACHED */
+ 		    }
  		    strcpy(path, s);
  #ifdef SHORT_NAMES_ONLY
***************
*** 503,511 ****
  	
  		/* read any -p option from it */
! 		while (fscanf(names, "%s", path) == 1 && *path == '-') {
  		    i = path[1];
  		    s = path + 2;		/* for "-Ipath" */
  		    if (*s == '\0') {	/* if "-I path" */
! 			fscanf(names, "%s", path);
  			s = path;
  		    }
--- 508,516 ----
  	
  		/* read any -p option from it */
! 		while (fgets(path, sizeof(path), names) != NULL && *path == '-') {
  		    i = path[1];
  		    s = path + 2;		/* for "-Ipath" */
  		    if (*s == '\0') {	/* if "-I path" */
! 			fgets(path, sizeof(path), names);
  			s = path;
  		    }
***************
*** 523,527 ****
  	} else {
  	    for (i = 0; i < nsrcfiles; ++i) {
! 		if (fscanf(oldrefs, "%s", path) != 1) {
  		    postfatal("\
  cscope: cannot read source file name from file %s\n", 
--- 528,532 ----
  	} else {
  	    for (i = 0; i < nsrcfiles; ++i) {
! 		if (!fgets(path, sizeof(path), oldrefs) ) {
  		    postfatal("\
  cscope: cannot read source file name from file %s\n", 

Index: constants.h
===================================================================
RCS file: /cvsroot/cscope/cscope/src/constants.h,v
retrieving revision 1.14
retrieving revision 1.15
diff -C2 -r1.14 -r1.15
*** constants.h	23 Jul 2006 20:59:20 -0000	1.14
--- constants.h	20 Aug 2006 15:00:34 -0000	1.15
***************
*** 69,72 ****
--- 69,73 ----
  #define	PATHLEN	250		/* file pathname length */
  #define	PATLEN	250		/* symbol pattern length */
+ #define TEMPSTRING_LEN 8191     /* max strlen() of the global temp string */
  #define	REFFILE	"cscope.out"	/* cross-reference output file */
  #define	NAMEFILE "cscope.files"	/* default list-of-files file */
***************
*** 78,81 ****
--- 79,89 ----
  #define	STMTMAX	10000		/* maximum source statement length */
  
+ #define STR2(x) #x
+ #define STRINGIZE(x) STR2(x)
+ #define PATLEN_STR STRINGIZE(PATLEN)
+ #define PATHLEN_STR STRINGIZE(PATHLEN)
+ #define NUMLEN_STR STRINGIZE(NUMLEN)
+ #define TEMPSTRING_LEN_STR STRINGIZE(TEMPSTRING_LEN)
+ 
  /* screen lines */
  #define	FLDLINE	(LINES - FIELDS - 1)	/* first input field line */