BUG: Buffer not null terminated

Coverity reports: buffer_size_warning: Calling strncpy with a maximum size argument of 32 bytes on destination array "header.filename" of size 32 bytes might leave the destination string unterminated. If the buffer is treated as a null terminated string in later operations, a buffer overflow or over-read may occur. In itk::BioRadImageIO::Write(void const*): The string buffer may not have a null terminator if the source string's length is equal to the buffer size. Change-Id: I3b2a5fa83b0354580a99a48907a0518e785f2a6e
InsightSoftwareConsortium · May 29, 2014 · 6773f20 · 6773f20
1 parent 251ba3d
commit 6773f20
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/Modules/IO/BioRad/src/itkBioRadImageIO.cxx b/Modules/IO/BioRad/src/itkBioRadImageIO.cxx
@@ -500,8 +500,10 @@ void BioRadImageIO::Write(const void *buffer)
   // or simply
   // 4. FileName
   std::string filename = itksys::SystemTools::GetFilenameName(m_FileName);
-  // The buffer is at most 32 bytes:
-  strncpy( header.filename, filename.c_str(), sizeof( header.filename ) );
+  // The buffer is at most 32 bytes, but must be null-terminated.
+  // Here we copy at most 31 bytes and terminate it explicitly
+  strncpy( header.filename, filename.c_str(), sizeof( header.filename ) - 1);
+  header.filename[sizeof( header.filename ) - 1] = '\0';
   file.write( (char *)p, BIORAD_HEADER_LENGTH );
 
   //preparation for writing buffer: