nagbalae/dunst
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix DoS in notification_format_message

Browse Source 
When using a format with a trailing % character, dunst ends in an
endless loop, searching for a % char, while pointing exactly with the
haystack on the % character.

Increasing the substring pointer will shift the pointer forwards onto
the actual NULL character and stop the loop.
This commit is contained in:
Benedikt Heine 2018-11-14 17:08:18 +01:00
parent 5f3960b171
commit cb16fe9d96
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/notification.c
View File

@ -376,7 +376,7 @@ static void notification_format_message(struct notification *n)
/* replace all formatter */ /* replace all formatter */
for(char *substr = strchr(n->msg, '%'); for(char *substr = strchr(n->msg, '%');
substr; substr && *substr;
substr = strchr(substr, '%')) { substr = strchr(substr, '%')) {
char pg[16]; char pg[16];
@ -450,6 +450,7 @@ static void notification_format_message(struct notification *n)
case '\0': case '\0':
LOG_W("format_string has trailing %% character. " LOG_W("format_string has trailing %% character. "
"To escape it use %%%%."); "To escape it use %%%%.");
substr++;
break; break;
default: default:
LOG_W("format_string %%%c is unknown.", substr[1]); LOG_W("format_string %%%c is unknown.", substr[1]);