Bugzilla bug 136279: fixed bugs where 'path' and 'oldpath' were passed

to string functions before they were null-terminated.  Added a comment
to explain what 'oldpath' is for.  (Tag: NSS_3_4_BRANCH)

1 files changed, 11 insertions, 4 deletions

diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c
index edb13b17e..868173001 100644
--- a/security/nss/lib/nss/nssinit.c
+++ b/security/nss/lib/nss/nssinit.c
@@ -298,16 +298,17 @@ static void nss_FindExternalRootPaths(const char *dbpath, const char* secmodpref
     if (path[path_len-1] != FILE_SEP) {
         path[path_len++] = FILE_SEP;
     }
-    PORT_Strcpy(oldpath, path);
+    PORT_Memcpy(oldpath,path,path_len);
     PORT_Strcpy(&path[path_len],dllname);
     if (secmodprefix) {
         lastsep = PORT_Strrchr(secmodprefix, FILE_SEP);
         if (lastsep) {
-            PORT_Strncpy(&oldpath[path_len],secmodprefix,
-                         lastsep-secmodprefix+1); /* FILE_SEP */
+            int secmoddir_len = lastsep-secmodprefix+1; /* FILE_SEP */
+            PORT_Memcpy(&oldpath[path_len],secmodprefix,secmoddir_len);
+            path_len += secmoddir_len;
         }
     }
-    PORT_Strcat(oldpath, dllname);
+    PORT_Strcpy(&oldpath[path_len],dllname);
     *retoldpath = oldpath;
     *retnewpath = path;
     return;
@@ -328,6 +329,12 @@ nss_FindExternalRoot(const char *dbpath, const char* secmodprefix)
 {
 	char *path = NULL;
         char *oldpath = NULL;
+
+        /*
+         * 'oldpath' is the external root path in NSS 3.3.x or older.
+         * For backward compatibility we try to load the root certs
+         * module with the old path first.
+         */
         nss_FindExternalRootPaths(dbpath, secmodprefix, &oldpath, &path);
         if (oldpath) {
             (void) SECMOD_AddNewModule("Root Certs",oldpath, 0, 0);