From 654ea5fae25f0863d958e3ecd0bc0672603e0b4c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 10 Jan 2014 11:15:43 +0100
Subject: [PATCH] Fix crash with crafted ini files.

If the key or value is bigger than 1024 we will end up in a buffer
overflow. The overflow is caught by _FORTIFY_SOURCE, so it's definitely
DoS-only.  Curiously, because of ample space in the stack frame, it does
not result in a crash without _FORTIFY_SOURCE in all cases.

Signed-off-by: Andreas Schneider <asn@samba.org>
---
 src/iniparser.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/iniparser.c b/src/iniparser.c
index 4430032..18dbbbe 100644
--- a/src/iniparser.c
+++ b/src/iniparser.c
@@ -633,7 +633,7 @@ dictionary * iniparser_load(const char * ininame)
     char line    [ASCIILINESZ+1] ;
     char section [ASCIILINESZ+1] ;
     char key     [ASCIILINESZ+1] ;
-    char tmp     [ASCIILINESZ+1] ;
+    char tmp     [(ASCIILINESZ * 2) + 1] ;
     char val     [ASCIILINESZ+1] ;
 
     int  last=0 ;
@@ -699,7 +699,7 @@ dictionary * iniparser_load(const char * ininame)
             break ;
 
             case LINE_VALUE:
-            sprintf(tmp, "%s:%s", section, key);
+            snprintf(tmp, sizeof(tmp), "%s:%s", section, key);
             errs = dictionary_set(dict, tmp, val) ;
             break ;
 
-- 
1.8.4.2