From 89b148d0453960ba05551cf441a3d84b191b338d Mon Sep 17 00:00:00 2001
From: Nathan Mills <38995150+Quipyowert2@users.noreply.github.com>
Date: Tue, 30 Mar 2021 15:42:13 -0700
Subject: [PATCH] Fix potential buffer overflow in session handling code.

This buffer overflow is fixed by including field width limits in the
format strings passed to sscanf.

sscanf's %s and %[ format specifiers can overflow the output buffer unless a
field width limit is given. if sscanf encounters a string without
spaces (with %s) or without the characters in the set given (with %[) and this
string is longer than the output buffer, it will overflow the buffer.
---
 fvwm/session.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/fvwm/session.c b/fvwm/session.c
index bff99cbfd..3b9778922 100644
--- a/fvwm/session.c
+++ b/fvwm/session.c
@@ -373,7 +373,7 @@ static Bool VerifyVersionInfo(char *filename)
 		if (!strcmp(s1, "[FVWM_VERSION]"))
 		{
 			char *current_v = get_version_string();
-			sscanf(s, "%*s %[^\n]", s1);
+			sscanf(s, "%*s %4095[^\n]", s1);
 			if (strcmp(s1, current_v) == 0)
 			{
 				does_file_version_match = True;
@@ -1222,7 +1222,7 @@ LoadGlobalState(char *filename)
 			{
 				s2++;
 			}
-			sscanf(s2, "%[^\n]", s1);
+			sscanf(s2, "%4095[^\n]", s1);
 			is_key = fxstrdup(s1);
 		}
 		else if (!strcmp(s1, "[VALUE]"))
@@ -1233,7 +1233,7 @@ LoadGlobalState(char *filename)
 			{
 				s2++;
 			}
-			sscanf(s2, "%[^\n]", s1);
+			sscanf(s2, "%4095[^\n]", s1);
 			is_value = fxstrdup(s1);
 
 			if (is_key != NULL && is_value != NULL)
@@ -1347,7 +1347,7 @@ LoadWindowStates(char *filename)
 		if (!SessionSupport /* migo: temporarily */ &&
 		    !strcmp(s1, "[REAL_STATE_FILENAME]"))
 		{
-			sscanf(s, "%*s %s", s1);
+			sscanf(s, "%*s %4095s", s1);
 			set_sm_properties(sm_conn, s1, FSmRestartIfRunning);
 			set_real_state_filename(s1);
 		}
@@ -1466,7 +1466,7 @@ LoadWindowStates(char *filename)
 			{
 				s2++;
 			}
-			sscanf(s2, "%[^\n]", s1);
+			sscanf(s2, "%4095[^\n]", s1);
 			matches[num_match - 1].client_id = duplicate(s1);
 		}
 		else if (!strcmp(s1, "[WINDOW_ROLE]"))
@@ -1476,7 +1476,7 @@ LoadWindowStates(char *filename)
 			{
 				s2++;
 			}
-			sscanf(s2, "%[^\n]", s1);
+			sscanf(s2, "%4095[^\n]", s1);
 			matches[num_match - 1].window_role = duplicate(s1);
 		}
 		else if (!strcmp(s1, "[RES_NAME]"))
@@ -1486,7 +1486,7 @@ LoadWindowStates(char *filename)
 			{
 				s2++;
 			}
-			sscanf(s2, "%[^\n]", s1);
+			sscanf(s2, "%4095[^\n]", s1);
 			matches[num_match - 1].res_name = duplicate(s1);
 		}
 		else if (!strcmp(s1, "[RES_CLASS]"))
@@ -1496,7 +1496,7 @@ LoadWindowStates(char *filename)
 			{
 				s2++;
 			}
-			sscanf(s2, "%[^\n]", s1);
+			sscanf(s2, "%4095[^\n]", s1);
 			matches[num_match - 1].res_class = duplicate(s1);
 		}
 		else if (!strcmp(s1, "[WM_NAME]"))
@@ -1506,7 +1506,7 @@ LoadWindowStates(char *filename)
 			{
 				s2++;
 			}
-			sscanf(s2, "%[^\n]", s1);
+			sscanf(s2, "%4095[^\n]", s1);
 			matches[num_match - 1].wm_name = duplicate(s1);
 		}
 		else if (!strcmp(s1, "[WM_COMMAND]"))
@@ -1520,7 +1520,7 @@ LoadWindowStates(char *filename)
 			for (i = 0;
 			     i < matches[num_match - 1].wm_command_count; i++)
 			{
-				sscanf (s+pos, "%s%n", s1, &pos1);
+				sscanf (s+pos, "%4095s%n", s1, &pos1);
 				pos += pos1;
 				matches[num_match - 1].wm_command[i] =
 					duplicate (s1);