From bbb13e808b89bfaf544441b0e7f9b3bae48993bd Mon Sep 17 00:00:00 2001
From: Kurt Schwehr <schwehr@gmail.com>
Date: Thu, 31 May 2018 02:07:30 -0700
Subject: Fix buffer overflow in gie.c:append_args() (#1023)

Observed a buffer overflow in append_args with autofuzz with the strcpy in append_args.
I think the +2 is required to account for both a nul char and the space.
---
 src/gie.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/gie.c b/src/gie.c
index 1e362181..ab09dc14 100644
--- a/src/gie.c
+++ b/src/gie.c
@@ -1422,7 +1422,8 @@ static int append_args (ffio *G) {
     if (tag)
         skip_chars = strlen (tag);
 
-    if (G->args_size < args_len + next_len - skip_chars + 1) {
+    /* +2: 1 for the space separator and 1 for the NUL termination. */
+    if (G->args_size < args_len + next_len - skip_chars + 2) {
         void *p = realloc (G->args, 2 * G->args_size);
         if (0==p)
             return 0;
-- 
cgit v1.2.3