_sion_read_header_fix_part does not sanitize input from file
_sion_read_header_fix_part
allocates a buffer lprefix
of length SION_FILENAME_LENGTH
into which it reads SION_FILENAME_LENGTH
bytes from the prefix field of the file header. Next, lprefix
is duplicated using strdup
without ensuring that lprefix
actually contains a null byte. This is a potential buffer overflow. Possible fixes:
- make sure
lprefix
contains a null byte, - use
strndup
, - do not duplicate
lprefix
, possibly wasting up toSION_FILENAME_LENGTH - 1
bytes.