diff -up cracklib-2.9.6/lib/fascist.c.overflow cracklib-2.9.6/lib/fascist.c --- cracklib-2.9.6/lib/fascist.c.overflow 2015-10-23 16:58:38.403319225 +0200 +++ cracklib-2.9.6/lib/fascist.c 2016-12-08 17:28:41.490101358 +0100 @@ -515,7 +515,7 @@ FascistGecosUser(char *password, const c char gbuffer[STRINGSIZE]; char tbuffer[STRINGSIZE]; char *uwords[STRINGSIZE]; - char longbuffer[STRINGSIZE * 2]; + char longbuffer[STRINGSIZE]; if (gecos == NULL) gecos = ""; @@ -596,38 +596,47 @@ FascistGecosUser(char *password, const c { for (i = 0; i < j; i++) { - strcpy(longbuffer, uwords[i]); - strcat(longbuffer, uwords[j]); - - if (GTry(longbuffer, password)) + if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE) { - return _("it is derived from your password entry"); - } - - strcpy(longbuffer, uwords[j]); - strcat(longbuffer, uwords[i]); + strcpy(longbuffer, uwords[i]); + strcat(longbuffer, uwords[j]); - if (GTry(longbuffer, password)) - { - return _("it's derived from your password entry"); + if (GTry(longbuffer, password)) + { + return _("it is derived from your password entry"); + } + + strcpy(longbuffer, uwords[j]); + strcat(longbuffer, uwords[i]); + + if (GTry(longbuffer, password)) + { + return _("it's derived from your password entry"); + } } - longbuffer[0] = uwords[i][0]; - longbuffer[1] = '\0'; - strcat(longbuffer, uwords[j]); - - if (GTry(longbuffer, password)) + if (strlen(uwords[j]) < STRINGSIZE - 1) { - return _("it is derivable from your password entry"); + longbuffer[0] = uwords[i][0]; + longbuffer[1] = '\0'; + strcat(longbuffer, uwords[j]); + + if (GTry(longbuffer, password)) + { + return _("it is derivable from your password entry"); + } } - longbuffer[0] = uwords[j][0]; - longbuffer[1] = '\0'; - strcat(longbuffer, uwords[i]); - - if (GTry(longbuffer, password)) + if (strlen(uwords[i]) < STRINGSIZE - 1) { - return _("it's derivable from your password entry"); + longbuffer[0] = uwords[j][0]; + longbuffer[1] = '\0'; + strcat(longbuffer, uwords[i]); + + if (GTry(longbuffer, password)) + { + return _("it's derivable from your password entry"); + } } } } diff -up cracklib-2.9.6/lib/rules.c.overflow cracklib-2.9.6/lib/rules.c --- cracklib-2.9.6/lib/rules.c.overflow 2015-10-23 16:58:38.000000000 +0200 +++ cracklib-2.9.6/lib/rules.c 2016-12-08 18:03:27.041941297 +0100 @@ -158,6 +158,8 @@ Pluralise(string, area) /* returns a po register int length; length = strlen(string); strcpy(area, string); + if (length > STRINGSIZE - 3) /* we add 2 characters at worst */ + return (area); if (!Suffix(string, "ch") || !Suffix(string, "ex") || @@ -462,11 +464,11 @@ Mangle(input, control, area) /* returns Pluralise(area2, area); break; case RULE_REFLECT: - strcat(area, Reverse(area, area2)); + strncat(area, Reverse(area, area2), STRINGSIZE - strlen(area) - 1); break; case RULE_DUPLICATE: strcpy(area2, area); - strcat(area, area2); + strncat(area, area2, STRINGSIZE - strlen(area) - 1); break; case RULE_GT: if (!ptr[1]) @@ -514,7 +516,8 @@ Mangle(input, control, area) /* returns } else { area2[0] = *(++ptr); - strcpy(area2 + 1, area); + strncpy(area2 + 1, area, STRINGSIZE - 2); + area2[STRINGSIZE - 1] = '\0'; strcpy(area, area2); } break; @@ -528,8 +531,10 @@ Mangle(input, control, area) /* returns register char *string; string = area; while (*(string++)); - string[-1] = *(++ptr); - *string = '\0'; + if (string < area + STRINGSIZE) { + string[-1] = *(++ptr); + *string = '\0'; + } } break; case RULE_EXTRACT: @@ -600,6 +605,10 @@ Mangle(input, control, area) /* returns } p1 = area; p2 = area2; + if (strlen(p1) > STRINGSIZE - 2) { + /* truncate */ + p1[STRINGSIZE - 2] = '\0'; + } while (i && *p1) { i--;