Fixed possible buffer overflow caused by environment variable expansion.

2014-04-30 16:26:22 +00:00 · 2014-04-30 16:26:22 +00:00 · 3d1d2f5acc
commit 3d1d2f5acc
parent 8fbf673295
1 changed files with 18 additions and 6 deletions
--- a/bochs/config.cc
+++ b/bochs/config.cc
@ -1879,21 +1879,33 @@ static int parse_line_unformatted(const char *context, char *line)
          *pv = 0;
          if (strlen(varname)<1 || !(value = getenv(varname))) {
            if ((value = get_builtin_variable(varname))) {
+              if ((string_i + strlen(value)) < 512) {
                // append value to the string
                for (pv=(char *)value; *pv; pv++)
                    string[string_i++] = *pv;
+              } else {
+                BX_PANIC(("parse_line_unformatted(): out of memory"));
+              }
            } else {
              BX_PANIC(("could not look up environment variable '%s'", varname));
            }
          } else {
+            if ((string_i + strlen(value)) < 512) {
              // append value to the string
              for (pv=(char *)value; *pv; pv++)
                  string[string_i++] = *pv;
+            } else {
+              BX_PANIC(("parse_line_unformatted(): out of memory"));
+            }
          }
        }
 #endif
        if (!isspace(ptr[i]) || inquotes) {
+          if (string_i < 511) {
            string[string_i++] = ptr[i];
+          } else {
+            BX_PANIC(("parse_line_unformatted(): out of memory"));
+          }
        }
      }
    }