From a892c8cd224ec7d36ea02cd3a2dbdf682f9be8e0 Mon Sep 17 00:00:00 2001 From: Timo Kokkonen Date: Wed, 30 Sep 2020 20:05:52 +0300 Subject: [PATCH] rrdtool: Fix strncat() usage As per strncat man page: If src contains n or more bytes, strncat() writes n+1 bytes to dest (n from src plus the terminating null byte). Therefore, the size of dest must be at least strlen(dest)+n+1. Therefore, we must ensure the destination buffere does not overflow is src is large enough. Signed-off-by: Timo Kokkonen --- rrdtool.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rrdtool.c b/rrdtool.c index ee4b111..e347400 100644 --- a/rrdtool.c +++ b/rrdtool.c @@ -48,8 +48,9 @@ int rrdtool_draw_image(struct rrd_image *image) tmpfile[0] = 0; tmp[0] = 0; - strncat(tmpfile, image->image_filename, sizeof(tmpfile) - 1); - strncat(tmpfile, ".tmp", sizeof(tmpfile) - 1); + strncpy(tmpfile, image->image_filename, sizeof(tmpfile) - 1); + strncat(tmpfile, ".tmp", + sizeof(tmpfile) - strlen(image->image_filename) - 1); if (image->updatestr) updatestr = image->updatestr; -- 2.45.0