Fix buffer overflows in shortcut and workspace name handling

The handling of user defined shortcuts was not checking the length of the shortcut before copying it to a fixed-length temporary buffer, char buf[128]; strcpy(buf, shortcutDefinition); and strcpy() is well known for not checking if overflows will occur. In particular, wmaker was crashing here if a big 'shortcut' was defined either through WPrefs or by directly editing the configuration files. This is now avoided by using strncpy() instead. And this patch also fixes a similar buffer overflow for big workspace names too. Furthermore, use MAX_SHORTCUT_LENGTH instead of raw number and define it to be 32 instead of 128.
2025-12-19 12:28:22 +01:00 · 2008-11-09 20:18:05 +01:00
parent 06f59b9928
commit 3c323e1e9a
4 changed files with 13 additions and 10 deletions
--- a/src/usermenu.c
+++ b/src/usermenu.c
@@ -79,6 +79,7 @@

 #include "framewin.h"

+#define MAX_SHORTCUT_LENGTH 32

 /*** var ***/
 extern WPreferences wPreferences;
@@ -139,7 +140,7 @@ convertShortcuts(WScreen *scr, WMPropList *shortcut)
    KeySym ksym;
    char *k;
    char *buffer;
-    char buf[128], *b;
+    char buf[MAX_SHORTCUT_LENGTH], *b;
    int keycount,i,j,mod;

    if (WMIsPLString(shortcut)) {
@@ -163,9 +164,10 @@ convertShortcuts(WScreen *scr, WMPropList *shortcut)
    for (i=0,j=0;i<keycount;i++) {
        data->key[j].modifier = 0;
        if (WMIsPLArray(shortcut)) {
-            strcpy(buf, WMGetFromPLString(WMGetFromPLArray(shortcut, i)));
+            strncpy(buf, WMGetFromPLString(WMGetFromPLArray(shortcut, i)),
+		    MAX_SHORTCUT_LENGTH);
        } else {
-            strcpy(buf, WMGetFromPLString(shortcut));
+            strncpy(buf, WMGetFromPLString(shortcut), MAX_SHORTCUT_LENGTH);
        }
        b = (char*)buf;