From bf4b006607b6245fe7eee8bca7b441f3e547511d Mon Sep 17 00:00:00 2001 From: Xavier Roche Date: Wed, 25 Feb 2026 22:06:32 +0100 Subject: [PATCH] Fix off-by-one heap-buffer-overflow in get_or_create_temp_file() The malloc size calculation in get_or_create_temp_file() allocates strlen(tmp_dir) + strlen(prefix) + strlen(data.digest) + 2 bytes, but the constructed path "tmp_dir/prefix-digest\0" requires +3 bytes (for '/', '-', and the NUL terminator), not +2. This causes a 1-byte heap-buffer-overflow when strcat writes the NUL terminator of data.digest past the end of the allocated buffer. Make the arithmetic explicit by writing each component's length separately (+1 for each separator and the terminator), matching the four strcat calls that follow. The sister function create_temp_file() is not affected: its format "tmp_dir/prefix.XXXXXX" only has one separator ('/'), and ".XXXXXX" is already measured by strlen(".XXXXXX"). Fixes #492 --- src/lib/loader.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/lib/loader.c b/src/lib/loader.c index cd1aa9e0..8b97690a 100644 --- a/src/lib/loader.c +++ b/src/lib/loader.c @@ -209,8 +209,9 @@ static char *get_or_create_temp_file(const char *prefix, EmbeddedData data, return NULL; } + // +3 for '/' separator, '-' separator, and NUL terminator char *path = - malloc(strlen(tmp_dir) + strlen(prefix) + strlen(data.digest) + 2); + malloc(strlen(tmp_dir) + 1 + strlen(prefix) + 1 + strlen(data.digest) + 1); if (path == NULL) { return NULL; }