Change Details

We convert a string like "W32:vendor/device" into "I:vendor;I:device", where the output is longer than the input, but only allocate space equal to the length of the input, leading to a buffer overflow. Instead, write to a large temporary on-stack buffer that we then strdup, and use snprintf rather than the wildly-unsafe combination of sprintf, strcpy and raw character writes, exiting if we ever run out of space. Found by: CHERI Obtained from: CheriBSD

We convert a string like "W32:vendor/device" into "I:vendor;I:device", where the output is longer than the input, but only allocate space equal to the length of the input, leading to a buffer overflow. Instead use open_memstream so we get a safe dynamically-grown buffer. Found by: CHERI Obtained from: CheriBSD

We convert a string like "W32:vendor/device" into "I:vendor;I:device", where the output is longer than the input, but only allocate space equal to the length of the input, leading to a buffer overflow. Instead, write to a large temporary on-stack buffer that we then strdup, and use snprintf rather than the wildly-unsafe combination of sprintf, strcpy and raw character writes, exiting if we ever run out of space use open_memstream so we get a safe dynamically-grown buffer. Found by: CHERI Obtained from: CheriBSD