Fixed buffer overflow in el_delete_attachmwent() with long file names

2022-03-28 14:03:56 +02:00
parent d828aa5830
commit 2ba240f76d
2 changed files with 5 additions and 5 deletions
@@ -370,16 +370,16 @@ static char *sha256_crypt_r(const char *key, const char *salt, char *buffer, int
   salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX);
   key_len = strlen(key);

-   if ((key - (char *) 0) % __alignof__(uint32_t) != 0) {
+   if ((reinterpret_cast<uintptr_t>(key)) % __alignof__(uint32_t) != 0) {
      char *tmp = (char *) alloca(key_len + __alignof__(uint32_t));
      key = copied_key = (char *) memcpy(tmp + __alignof__(uint32_t)
-                                - (tmp - (char *) 0) % __alignof__(uint32_t), key, key_len);
+                                - (reinterpret_cast<uintptr_t>(tmp)) % __alignof__(uint32_t), key, key_len);
   }

-   if ((salt - (char *) 0) % __alignof__(uint32_t) != 0) {
+   if ((reinterpret_cast<uintptr_t>(salt)) % __alignof__(uint32_t) != 0) {
      char *tmp = (char *) alloca(salt_len + __alignof__(uint32_t));
      salt = copied_salt = (char *) memcpy(tmp + __alignof__(uint32_t)
-                                  - (tmp - (char *) 0) % __alignof__(uint32_t), salt, salt_len);
+                                  - (reinterpret_cast<uintptr_t>(tmp)) % __alignof__(uint32_t), salt, salt_len);
   }

   /* Prepare for the real work.  */
@@ -4666,7 +4666,7 @@ int el_submit_attachment(LOGBOOK *lbs, const char *afilename, const char *buffer

 void el_delete_attachment(LOGBOOK *lbs, char *file_name) {
   int i;
-   char str[MAX_PATH_LENGTH], subdir[MAX_PATH_LENGTH];
+   char str[2*MAX_PATH_LENGTH], subdir[MAX_PATH_LENGTH];

   strlcpy(str, lbs->data_dir, sizeof(str));
   generate_subdir_name(file_name, subdir, sizeof(subdir));