From 8e890e3a0a5c91ba921d9fbedc532c596ff46dd1 Mon Sep 17 00:00:00 2001
From: =?utf8?q?V=C3=ADctor=20Manuel=20J=C3=A1quez=20Leal?=
 <vjaquez@igalia.com>
Date: Fri, 13 Jul 2018 14:07:49 +0200
Subject: [PATCH] av: avoid driver path truncation

Using strncat() and strncpy() may lead to string truncation, which
might generate other issues.

This patch replaces the usage of strncat() and strncpy() to generate
the driver path, with snprintf() safetly.

See more information here:
https://developers.redhat.com/blog/2018/05/24/detecting-string-truncation-with-gcc-8/
---
 va/va.c | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/va/va.c b/va/va.c
index 28ebe59..a950c6a 100644
--- a/va/va.c
+++ b/va/va.c
@@ -349,6 +349,23 @@ static VAStatus va_getDriverName(VADisplay dpy, char **driver_name)
     return pDisplayContext->vaGetDriverName(pDisplayContext, driver_name);
 }
 
+static char *va_getDriverPath(const char *driver_dir, const char *driver_name)
+{
+  int n = snprintf(0, 0, "%s/%s%s", driver_dir, driver_name, DRIVER_EXTENSION);
+  if (n < 0)
+      return NULL;
+  char *driver_path = (char *) malloc(n + 1);
+  if (!driver_path)
+      return NULL;
+  n = snprintf(driver_path, n + 1, "%s/%s%s",
+               driver_dir, driver_name, DRIVER_EXTENSION);
+  if (n < 0) {
+    free(driver_path);
+    return NULL;
+  }
+  return driver_path;
+}
+
 static VAStatus va_openDriver(VADisplay dpy, char *driver_name)
 {
     VADriverContextP ctx = CTX(dpy);
@@ -367,9 +384,7 @@ static VAStatus va_openDriver(VADisplay dpy, char *driver_name)
     driver_dir = strtok_r(search_path, ":", &saveptr);
     while (driver_dir) {
         void *handle = NULL;
-        char *driver_path = (char *) malloc( strlen(driver_dir) +
-                                             strlen(driver_name) +
-                                             strlen(DRIVER_EXTENSION) + 2 );
+        char *driver_path = va_getDriverPath(driver_dir, driver_name);
         if (!driver_path) {
             va_errorMessage(dpy, "%s L%d Out of memory!n",
                             __FUNCTION__, __LINE__);
@@ -377,11 +392,6 @@ static VAStatus va_openDriver(VADisplay dpy, char *driver_name)
             return VA_STATUS_ERROR_ALLOCATION_FAILED;
         }
 
-        strncpy( driver_path, driver_dir, strlen(driver_dir) + 1);
-        strncat( driver_path, "/", strlen("/") );
-        strncat( driver_path, driver_name, strlen(driver_name) );
-        strncat( driver_path, DRIVER_EXTENSION, strlen(DRIVER_EXTENSION) );
-        
         va_infoMessage(dpy, "Trying to open %s\n", driver_path);
 #ifndef ANDROID
         handle = dlopen( driver_path, RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE );
-- 
2.11.0