Security: replace all uses of strcat and strcpy with strncat and strncpy

NEWS

@@ -1,4 +1,4 @@
-$Id: NEWS,v 1.96 2006/03/17 16:36:33 rocky Exp $
+$Id: NEWS,v 1.97 2006/03/18 00:53:20 rocky Exp $
 
 version 0.77cvs
 =====================================
@@ -54,6 +54,8 @@ version 0.77cvs
 
 - Revise and improve example programs
 
+- Security: replace all uses of strcat and strcpy with strncat and strncpy
+
 version 0.76
 =====================================
 2005-09-23
@@ -341,4 +343,4 @@ version 0.1
 
   Routines split off from VCDImager.
 
-$Id: NEWS,v 1.96 2006/03/17 16:36:33 rocky Exp $
+$Id: NEWS,v 1.97 2006/03/18 00:53:20 rocky Exp $

include/cdio/util.h

@@ -1,5 +1,5 @@
 /*
-    $Id: util.h,v 1.9 2006/02/16 20:09:27 rocky Exp $
+    $Id: util.h,v 1.10 2006/03/18 00:53:20 rocky Exp $
 
     Copyright (C) 2000 Herbert Valerio Riedel <hvr@gnu.org>
     Copyright (C) 2004, 2005, 2006 Rocky Bernstein <rocky@panix.com>
@@ -91,9 +91,6 @@ _cdio_strdup_upper (const char str[]);
 void
 _cdio_strfreev(char **strv);
 
-char *
-_cdio_strjoin (char *strv[], unsigned count, const char delim[]);
-
 size_t
 _cdio_strlenv(char **str_array);
 

lib/cdda_interface/utils.c

@@ -1,5 +1,5 @@
 /*
-  $Id: utils.c,v 1.2 2005/01/14 01:36:12 rocky Exp $
+  $Id: utils.c,v 1.3 2006/03/18 00:53:20 rocky Exp $
 
   Copyright (C) 2004 Rocky Bernstein <rocky@panix.com>
   Copyright (C) 1998 Monty xiphmont@mit.edu
@@ -112,9 +112,10 @@ idmessage(int messagedest,char **messages,const char *f,
     if(!s)
       buffer=(char *)f;
     else{
-      buffer=malloc(strlen(f)+strlen(s)+10);
+      const unsigned int i_buffer=strlen(f)+strlen(s)+10;
+      buffer=malloc(i_buffer);
       sprintf(buffer,f,s);
-      strcat(buffer,"\n");
+      strncat(buffer,"\n", i_buffer);
       malloced=1;
     }
 
@@ -138,13 +139,15 @@ idmessage(int messagedest,char **messages,const char *f,
 }
 
 char *
-catstring(char *buff,const char *s){
+catstring(char *buff, const char *s) {
-  if(s){
+  if (s) {
-    if(buff)
+    const unsigned int add_len = strlen(s) + 9;
-      buff=realloc(buff,strlen(buff)+strlen(s)+9);
+    if(buff) {
-    else
+      buff = realloc(buff, strlen(buff) + add_len);
-      buff=calloc(strlen(s)+9,1);
+    } else {
-    strcat(buff,s);
+      buff=calloc(add_len, 1);
+    }
+    strncat(buff, s, add_len);
   }
   return(buff);
 }

lib/driver/gnu_linux.c

@@ -1,5 +1,5 @@
 /*
-    $Id: gnu_linux.c,v 1.19 2005/11/07 07:41:29 rocky Exp $
+    $Id: gnu_linux.c,v 1.20 2006/03/18 00:53:20 rocky Exp $
 
     Copyright (C) 2001 Herbert Valerio Riedel <hvr@gnu.org>
     Copyright (C) 2002, 2003, 2004, 2005 Rocky Bernstein <rocky@panix.com>
@@ -27,7 +27,7 @@
 # include "config.h"
 #endif
 
-static const char _rcsid[] = "$Id: gnu_linux.c,v 1.19 2005/11/07 07:41:29 rocky Exp $";
+static const char _rcsid[] = "$Id: gnu_linux.c,v 1.20 2006/03/18 00:53:20 rocky Exp $";
 
 #include <string.h>
 
@@ -140,20 +140,24 @@ check_mounts_linux(const char *mtab)
     char *tmp;
     char *mnt_type;
     char *mnt_dev;
+    unsigned int i_mnt_type;
+    unsigned int i_mnt_dev;
     
     while ( (mntent=getmntent(mntfp)) != NULL ) {
-      mnt_type = malloc(strlen(mntent->mnt_type) + 1);
+      i_mnt_type = strlen(mntent->mnt_type) + 1;
+      mnt_type = calloc(1, i_mnt_type);
       if (mnt_type == NULL)
 	continue;  /* maybe you'll get lucky next time. */
       
-      mnt_dev = malloc(strlen(mntent->mnt_fsname) + 1);
+      i_mnt_dev = strlen(mntent->mnt_fsname) + 1;
+      mnt_dev = calloc(1, i_mnt_dev);
       if (mnt_dev == NULL) {
 	free(mnt_type);
 	continue;
       }
       
-      strcpy(mnt_type, mntent->mnt_type);
+      strncpy(mnt_type, mntent->mnt_type, i_mnt_type);
-      strcpy(mnt_dev, mntent->mnt_fsname);
+      strncpy(mnt_dev, mntent->mnt_fsname, i_mnt_dev);
       
       /* Handle "supermount" filesystem mounts */
       if ( strcmp(mnt_type, "supermount") == 0 ) {

lib/driver/util.c

@@ -1,5 +1,5 @@
 /*
-    $Id: util.c,v 1.2 2005/02/03 07:35:15 rocky Exp $
+    $Id: util.c,v 1.3 2006/03/18 00:53:20 rocky Exp $
 
     Copyright (C) 2000 Herbert Valerio Riedel <hvr@gnu.org>
     Copyright (C) 2003, 2004, 2005 Rocky Bernstein <rocky@panix.com>
@@ -36,7 +36,7 @@
 #include <cdio/types.h>
 #include <cdio/util.h>
 
-static const char _rcsid[] = "$Id: util.c,v 1.2 2005/02/03 07:35:15 rocky Exp $";
+static const char _rcsid[] = "$Id: util.c,v 1.3 2006/03/18 00:53:20 rocky Exp $";
 
 size_t
 _cdio_strlenv(char **str_array)
@@ -64,36 +64,6 @@ _cdio_strfreev(char **strv)
   free(strv);
 }
 
-char *
-_cdio_strjoin (char *strv[], unsigned count, const char delim[])
-{
-  size_t len;
-  char *new_str;
-  unsigned n;
-
-  cdio_assert (strv != NULL);
-  cdio_assert (delim != NULL);
-
-  len = (count-1) * strlen (delim);
-
-  for (n = 0;n < count;n++)
-    len += strlen (strv[n]);
-
-  len++;
-
-  new_str = calloc (1, len);
-  new_str[0] = '\0';
-
-  for (n = 0;n < count;n++)
-    {
-      if (n)
-        strcat (new_str, delim);
-      strcat (new_str, strv[n]);
-    }
-  
-  return new_str;
-}
-
 char **
 _cdio_strsplit(const char str[], char delim) /* fixme -- non-reentrant */
 {

lib/udf/udf_fs.c

@@ -1,5 +1,5 @@
 /*
-    $Id: udf_fs.c,v 1.14 2006/01/26 04:41:50 rocky Exp $
+    $Id: udf_fs.c,v 1.15 2006/03/18 00:53:20 rocky Exp $
 
     Copyright (C) 2005 Rocky Bernstein <rocky@panix.com>
 
@@ -230,7 +230,7 @@ udf_fopen(udf_dirent_t *p_udf_root, const char *psz_name)
     char tokenline[udf_MAX_PATHLEN];
     char *psz_token;
     
-    strcpy(tokenline, psz_name);
+    strncpy(tokenline, psz_name, udf_MAX_PATHLEN);
     psz_token = strtok(tokenline, udf_PATH_DELIMITERS);
     if (psz_token)
       p_udf_file = udf_ff_traverse(p_udf_root, psz_token);