PR32399, buffer overflow printing core_file_failing_command

Assorted targets do not check, as the ELF targets do, that the program
name in a core file is NUL terminated.  Fix some of them.  I haven't
attempted to fix all targets because editing host specific code can
easily result in build bugs, which aren't discovered until someone
build binutils for that host.  (Of the files edited here, I can't
easily compile hpux-core.c and osf-core.c on a linux system.)

	PR 32399
	* hppabsd-core.c (hppabsd_core_core_file_p): Ensure core_command
	string is terminated.
	* hpux-core.c (hpux_core_core_file_p): Likewise.
	* irix-core.c (irix_core_core_file_p): Likewise.
	* lynx-core.c (lynx_core_file_p): Likewise.
	* osf-core.c (osf_core_core_file_p): Likewise.
	* mach-o.c (bfd_mach_o_core_file_failing_command): Likewise.

6 files changed, 12 insertions, 7 deletions

diff --git a/bfd/hppabsd-core.c b/bfd/hppabsd-core.c
index ae5d1f8..1c24e64 100644
--- a/bfd/hppabsd-core.c
+++ b/bfd/hppabsd-core.c
@@ -179,7 +179,8 @@ hppabsd_core_core_file_p (bfd *abfd)
     goto fail;
   core_regsec (abfd)->vma = 0;
 
-  strncpy (core_command (abfd), u.u_comm, MAXCOMLEN + 1);
+  strncpy (core_command (abfd), u.u_comm, MAXCOMLEN);
+  core_command (abfd)[MAXCOMLEN] = 0;
   core_signal (abfd) = u.u_code;
   return _bfd_no_cleanup;
 
diff --git a/bfd/hpux-core.c b/bfd/hpux-core.c
index 1e2ea92..18516e3 100644
--- a/bfd/hpux-core.c
+++ b/bfd/hpux-core.c
@@ -177,7 +177,8 @@ hpux_core_core_file_p (bfd *abfd)
 	    struct proc_exec proc_exec;
 	    if (bfd_read (&proc_exec, core_header.len, abfd) != core_header.len)
 	      break;
-	    strncpy (core_command (abfd), proc_exec.cmd, MAXCOMLEN + 1);
+	    strncpy (core_command (abfd), proc_exec.cmd, MAXCOMLEN);
+	    core_command (abfd)[MAXCOMLEN] = 0;
 	    good_sections++;
 	  }
 	  break;
diff --git a/bfd/irix-core.c b/bfd/irix-core.c
index 80cb82d..7a48684 100644
--- a/bfd/irix-core.c
+++ b/bfd/irix-core.c
@@ -203,7 +203,8 @@ irix_core_core_file_p (bfd *abfd)
   if (!core_hdr (abfd))
     return NULL;
 
-  strncpy (core_command (abfd), coreout.c_name, CORE_NAMESIZE);
+  strncpy (core_command (abfd), coreout.c_name, CORE_NAMESIZE - 1);
+  core_command (abfd)[CORE_NAMESIZE - 1] = 0;
   core_signal (abfd) = coreout.c_sigcause;
 
   if (bfd_seek (abfd, coreout.c_vmapoffset, SEEK_SET) != 0)
diff --git a/bfd/lynx-core.c b/bfd/lynx-core.c
index 44d94ad..7870dc6 100644
--- a/bfd/lynx-core.c
+++ b/bfd/lynx-core.c
@@ -120,7 +120,8 @@ lynx_core_file_p (bfd *abfd)
   if (!core_hdr (abfd))
     return NULL;
 
-  strncpy (core_command (abfd), pss.pname, PNMLEN + 1);
+  strncpy (core_command (abfd), pss.pname, PNMLEN);
+  core_command (abfd)[PNMLEN] = 0;
 
   /* Compute the size of the thread contexts */
 
diff --git a/bfd/mach-o.c b/bfd/mach-o.c
index 974747c..037718f 100644
--- a/bfd/mach-o.c
+++ b/bfd/mach-o.c
@@ -6019,9 +6019,9 @@ bfd_mach_o_core_file_failing_command (bfd *abfd)
   int ret;
 
   ret = bfd_mach_o_core_fetch_environment (abfd, &buf, &len);
-  if (ret < 0)
+  if (ret < 0 || len == 0)
     return NULL;
-
+  buf[len - 1] = 0;
   return (char *) buf;
 }
 
diff --git a/bfd/osf-core.c b/bfd/osf-core.c
index 55b127d..6869dfa 100644
--- a/bfd/osf-core.c
+++ b/bfd/osf-core.c
@@ -92,7 +92,8 @@ osf_core_core_file_p (bfd *abfd)
   if (!core_hdr (abfd))
     return NULL;
 
-  strncpy (core_command (abfd), core_header.name, MAXCOMLEN + 1);
+  strncpy (core_command (abfd), core_header.name, MAXCOMLEN);
+  core_command (abfd)[MAXCOMLEN] = 0;
   core_signal (abfd) = core_header.signo;
 
   for (i = 0; i < core_header.nscns; i++)