DynaLink::Open strncpy ptlibPath may not be null-terminated

[QiuhaoLi]

In crc\h323plus\plugins\video\common\dyna.cxx:81

  // try directories specified in PTLIBPLUGINDIR
  char ptlibPath[1024];
  memset(ptlibPath, 0, sizeof(ptlibPath));
  char * env = ::getenv("PTLIBPLUGINDIR");
  if (env != NULL)
    strncpy(ptlibPath, env, sizeof(ptlibPath));  // <-- if PTLIBPLUGINDIR's length is bigger than 1024, ptlibPath may not be null-terminated

  char * p = ::strtok(ptlibPath, PATH_SEP);

Test

// clang -g -o dyna -fsanitize=address dyna.c && PTLIBPLUGINDIR=1234567890123456 ./dyna

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(void)
{
  char ptlibPath[16];
  memset(ptlibPath, 0, sizeof(ptlibPath));
  char * env = getenv("PTLIBPLUGINDIR");
  if (env != NULL)
    strncpy(ptlibPath, env, sizeof(ptlibPath));
  char * p = strtok(ptlibPath, ":");
  return p == NULL;
}

=================================================================
==1884==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffea936e110 at pc 0x559f5fe449c1 bp 0x7ffea936e0d0 sp 0x7ffea936d890
READ of size 17 at 0x7ffea936e110 thread T0
    #0 0x559f5fe449c0 in strtok (/home/qiuhao/tmp/dyna+0x369c0) (BuildId: 48b1a96d205a9787b7359e57c7c5636c83bc1a88)
    #1 0x559f5fee9fbe in main /home/qiuhao/tmp/dyna.c:14:14
    #2 0x7f016f5d6d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #3 0x7f016f5d6e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #4 0x559f5fe2c314 in _start (/home/qiuhao/tmp/dyna+0x1e314) (BuildId: 48b1a96d205a9787b7359e57c7c5636c83bc1a88)
......

Fix

qiuhao@HW0018292:~/tmp$ diff dyna_fix.c dyna.c
13c13
<     strncpy(ptlibPath, env, sizeof(ptlibPath) - 1);
---
>     strncpy(ptlibPath, env, sizeof(ptlibPath));

Thanks,
  Qiuhao Li, Zoom Video Communications, Inc.

[willamowius]

Patch applied, thanks!