rrdtool: Fix strncat() usage

As per strncat man page:

       If src contains n or more bytes, strncat() writes n+1 bytes to
       dest (n from src plus the terminating null byte).  Therefore,
       the size of dest must be at least strlen(dest)+n+1.

Therefore, we must ensure the destination buffere does not overflow is
src is large enough.

Signed-off-by: Timo Kokkonen <timo.t.kokkonen@iki.fi>

diff --git a/rrdtool.c b/rrdtool.c
index ee4b111bbcfc626b4a7c815e68c3a72f4b655836..e347400063222f784b8bb6455c0b81353b0711c7 100644 (file)
--- a/rrdtool.c
+++ b/rrdtool.c
@@ -48,8 +48,9 @@ int rrdtool_draw_image(struct rrd_image *image)
 
        tmpfile[0] = 0;
        tmp[0] = 0;
-       strncat(tmpfile, image->image_filename, sizeof(tmpfile) - 1);
-       strncat(tmpfile, ".tmp", sizeof(tmpfile) - 1);
+       strncpy(tmpfile, image->image_filename, sizeof(tmpfile) - 1);
+       strncat(tmpfile, ".tmp",
+               sizeof(tmpfile) - strlen(image->image_filename) - 1);
 
        if (image->updatestr)
                updatestr = image->updatestr;