From ab0dd2cca7f112beff19ba28011656cb4b602fde Mon Sep 17 00:00:00 2001 From: Christian Stimming Date: Tue, 5 Oct 2010 18:07:38 +0000 Subject: [PATCH] Bug #593479: Ensure not to accidentally delete our main account file. Original patch by Tim Retout who writes: strptime is passed (name + pathlen + 1) as the string to search. However, when looking at the main account file, strlen(name) == pathlen, so strptime is looking at the point just past the end of name. Sometimes this will be parseable by strptime, and this leads to the account file being unlinked. git-svn-id: svn+ssh://svn.gnucash.org/repo/gnucash/trunk@19638 57a11ea4-9604-0410-9ed3-97b8803252fd --- src/backend/xml/gnc-backend-xml.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/backend/xml/gnc-backend-xml.c b/src/backend/xml/gnc-backend-xml.c index 476b8d83ce..d52fac1283 100644 --- a/src/backend/xml/gnc-backend-xml.c +++ b/src/backend/xml/gnc-backend-xml.c @@ -834,16 +834,24 @@ gnc_xml_be_remove_old_files(FileBackend *be) continue; name = g_build_filename(be->dirname, dent, (gchar*)NULL); - len = strlen(name) - 4; + len = strlen(name); /* Never remove the current data file itself */ if (g_strcmp0(name, be->fullpath) == 0) continue; - /* Is this file associated with the current data file */ - if (strncmp(name, be->fullpath, pathlen) == 0) + /* Is this file associated with the current data file? + * Additionally, the invariants for the pointer arithmetic + * must hold: String length long enough to contain the suffix, + * and string length large enough so that strptime below will + * not be passed a pointer outside of our string. (Otherwise + * the result of strptime might be parseable and the main data + * file is deleted, #593479) */ + if ((strncmp(name, be->fullpath, pathlen) == 0) + && (len >= 4) + && (len > pathlen)) { - if (safe_strcmp(name + len, ".LNK") == 0) + if (safe_strcmp(name + len - 4, ".LNK") == 0) { /* Is a lock file. Skip the active lock file */ if ((safe_strcmp(name, be->linkfile) != 0) &&