2010.07.12 20:31 "Re: [Tiff] strncpy in tiffcrop", by Edward Lam
Richard Nolde wrote:
>> I only see problematic uses of strncpy in tiffcrop. The other uses of
I'm usually pretty careful to make sure that the buffer is large enough to hold the original string plus the terminating NULL, but I'll check the code when I get a chance.
I must admit that I only took a cursory look at the code only to note whether we failed to NUL terminate after calling strncpy() so that it could very well be that tiffcrop's use of strncpy() is ok. I had more intended to point out that the other cases should be fine because we already NUL terminated immediately afterwards.
I'll just note that the problem with failing to NUL terminate after calling strncpy() is not that there might be insufficient memory. Let's take the first strncpy() call in tiffcrop.c's update_output_file() function as an example:
strncpy (exportname, outname, PATH_MAX - 15);
If strlen(outname) >= (PATH_MAX-15), then we will end up with a potentially unterminated exportname string (depending on the contents of the stack after PATH_MAX - 15 characters).
You may want to look at tiffcp as well (which I do not maintain).
I don't see any strcpy() or strncpy() calls in it although I did spot a a few fixed length char buffers that may or may not be handled properly. :)