Properly terminate parsed environment values with '\0'.

The function strncpy() does not guarantee to nul terminate the
destination. In most cases, this cannot be triggered, but it is also
used to parse user environment variables. These are allowed to be longer
than 1023 characters, effectively resulting in an unterminated string.

I've adjusted other places as well, because it won't hurt.

https://bugs.freedesktop.org/show_bug.cgi?id=96677
(cherry picked from commit 1517fd276e12cac14c018d5a30792177eb6c59de)

2 files changed, 8 insertions, 2 deletions

diff --git a/va/va.c b/va/va.c
index cd88d67..b524fc7 100644
--- a/va/va.c
+++ b/va/va.c
@@ -74,8 +74,10 @@ int va_parseConfig(char *env, char *env_value)
 	    continue;
 
         if (strcmp(token, env) == 0) {
-            if (env_value)
+            if (env_value) {
                 strncpy(env_value,value, 1024);
+                env_value[1023] = '\0';
+            }
 
             fclose(fp);
 
@@ -88,8 +90,10 @@ int va_parseConfig(char *env, char *env_value)
     /* no setting in config file, use env setting */
     value = getenv(env);
     if (value) {
-        if (env_value)
+        if (env_value) {
             strncpy(env_value, value, 1024);
+            env_value[1023] = '\0';
+        }
         return 0;
     }
     
diff --git a/va/va_trace.c b/va/va_trace.c
index 96c076c..13fc6d2 100644
--- a/va/va_trace.c
+++ b/va/va_trace.c
@@ -546,6 +546,7 @@ static int open_tracing_specil_file(
     FILE *fp = NULL;
 
     strncpy(env_value, fn_env, 1024);
+    env_value[1023] = '\0';
     FILE_NAME_SUFFIX(env_value, 1024,
         "ctx-", (unsigned int)ptra_ctx->trace_context);
 
@@ -594,6 +595,7 @@ static int open_tracing_log_file(
         char env_value[1024];
 
         strncpy(env_value, pva_trace->fn_log_env, 1024);
+        env_value[1023] = '\0';
         FILE_NAME_SUFFIX(env_value, 1024,
             "thd-", (unsigned int)thd_id);