Vladimir N. Oleynik writes:

    This moment have algoritmicaly problem, not overflow:
    strcat(wrapped, wrapped) - may be looped.

    Hand patch:

    - else if (strstr(strcat(wrapped, wrapped), newmono))
    + else {
    +    safe_strncpy(wrapped + lenwrap, wrapped, lenwrap + 1);
    +    if (strstr(wrapped, newmono))
    +}

    --w
    vodz

diff --git a/libbb/obscure.c b/libbb/obscure.c
index 1a99b7c..537d448 100644 (file)
--- a/libbb/obscure.c
+++ b/libbb/obscure.c
@@ -157,8 +157,11 @@ password_check(const char *old, const char *newval, const struct passwd *pwdp)
        else if (similiar(wrapped, newmono))
                msg = "too similiar";
 
-       else if (strstr(strcat(wrapped, wrapped), newmono))
-               msg = "rotated";
+       else {
+               safe_strncpy(wrapped + lenwrap, wrapped, lenwrap + 1);
+               if (strstr(wrapped, newmono))
+                       msg = "rotated";
+       }
 
        bzero(newmono, strlen(newmono));
        bzero(wrapped, lenwrap);