#136 Potential Buffer Overflow getenv(LANG) in src/w_help.c

[Roland Rosenfeld]

In https://bugs.debian.org/992395 the following issue was reported:

From: "Potential Buffer Overflow vulnerability in xfig-3.2.7b" subin.kim@prosys.kr
Subject: Bug#992395: xfig: Potential Buffer Overflow vulnerability in src/w_help.c

It seems that there exists a potential Buffer Overflow.
(src/w_help.c:55)

sprintf(filename, "%s/html/%s/index.html", XFIGDOCDIR, getenv("LANG"));

the length of getenv("LANG") may become very long and cause Buffer Overflow while executing sprintf(...).

I fear that it's true, that this is a potential buffer overflow, but it isn't very important, since the user has to change LANG to something very long himself and xfig is not run automatically or internally or the like.

Greetings
Roland

[tkl]

but it isn't very important

Especially because there is exactly one possibility for LANG, ‘japanese,’ to succeed in finding such documentation. Since japanese users might not be too keen to read the increasingly outdated translated manual, and the english manual contains a link to the japanese version, I tend to delete references to a localized version in the xfig code altogether.

Somehow related, the japanese version should be clearly tagged with the xfig version for which it was last actualized. Currently, it displays the banner of the current version on top.

Off topic: The original bug report contains a reference to the kernel Linux 4.4.0-19041-Microsoft. Does this suggest, that a user runs xfig under the Windows Subsystem for Linux?

[Roland Rosenfeld]

Here's a minimal patch to use snprintf() instead of sprintf().

[tkl]

Commit [ebacf5] applies the patch.

[Roland Rosenfeld]

It should be fixed by Commit 1c4e13 not ebacf5 (which is only some doc update)