From 3de6bc7490ff6907cd0203c6143a75588458dbb9 Mon Sep 17 00:00:00 2001
From: Ulrich Sibiller <uli42@gmx.de>
Date: Thu, 23 Nov 2017 23:18:44 +0100
Subject: Dialog.c: fix possible buffer overflows

Fix write past the end of singlePath if PATH contains dirs longer than PATH_MAX.
---
 nx-X11/programs/Xserver/hw/nxagent/Display.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'nx-X11/programs/Xserver/hw')

diff --git a/nx-X11/programs/Xserver/hw/nxagent/Display.c b/nx-X11/programs/Xserver/hw/nxagent/Display.c
index f523dacde..d4e032046 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/Display.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/Display.c
@@ -1842,6 +1842,13 @@ static FILE *nxagentLookForIconFile(char *iconName, const char *permission,
 
     if (end != NULL)
     {
+      if ((end - path) > sizeof(singlePath) - 1)
+      {
+        fprintf(stderr, "Warning: Path too long - ignored.\n");
+        path = end + 1;
+        continue;
+      }
+
       strncpy(singlePath, path, (unsigned long)(end - path));
 
       singlePath[(unsigned long)(end - path)] = '\0';
@@ -1850,6 +1857,12 @@ static FILE *nxagentLookForIconFile(char *iconName, const char *permission,
     }
     else
     {
+      if (strlen(path) > sizeof(singlePath) - 1)
+      {
+        fprintf(stderr, "Error: Path too long.\n");
+        return NULL;
+      }
+
       strcpy(singlePath, path);
 
       breakLoop = 1;
-- 
cgit v1.2.3