From af1dc37a19a3a0f94838b81d615c78ab791b8850 Mon Sep 17 00:00:00 2001
From: peternmuller <pm563838@gmail.com>
Date: Fri, 12 Sep 2025 15:53:36 +0200
Subject: [PATCH] Fix buffer overflows

* Happens when using the -ant parameter

Error example:
signalserver -sdf data/SRTM3 -lat 47.7962 -lon 3.57028 -R 5 -txh 1.5 -rxh 1.5 -rt -130 -ant antenna/SC466 -color palette.dcf -f 868 -pm 1 -erp 0.282 -m -dbm -dbg -o exercice4
[2025-09-12 15:43:33.884] [info]
[2025-09-12 15:43:33.884] [info] Version 4.0 (master defdc59)
[2025-09-12 15:43:33.884] [info]     Compile date: Sep 12 2025 13:40:58
[2025-09-12 15:43:33.884] [info]     Built for 100 DEM tiles at 1200 pixels
[2025-09-12 15:43:33.884] [info]
*** buffer overflow detected ***: terminated
Abandon (core dumped)

Signed-off-by: peternmuller <pm563838@gmail.com>
---
 src/image.cc |  9 ++++++---
 src/main.cc  | 46 ++++++++++++++++++++++++++--------------------
 2 files changed, 32 insertions(+), 23 deletions(-)

diff --git a/src/image.cc b/src/image.cc
index 1af4e72..fc61659 100644
--- a/src/image.cc
+++ b/src/image.cc
@@ -159,15 +159,18 @@ int image_get_filename(image_ctx_t *ctx, char *out, size_t len_out, char *in){
 
 	if(len_src > len_ext && strcmp(in+len_src-len_ext,ctx->extension) == 0){
 		/* Already has correct extension and fits in buffer */
-		if(len_src < len_out)
-			strncpy(in,out,len_out);
+		if(len_src < len_out){
+			strncpy(out, in, len_out);
+			out[len_out-1] = '\0';
+		}
 		else
 			success = ENOMEM;
 	}else if(len_src > len_ext){
 		/* Doesn't have correct extension and fits */
 		if(len_src + len_ext < len_out){
 			strncpy(out,in,len_out);
-			strncat(out,ctx->extension,len_out);
+			out[len_out-1] = '\0';
+			strncat(out, ctx->extension, len_out - strlen(out) - 1);
 		}else
 			success = ENOMEM;
 	}else{
diff --git a/src/main.cc b/src/main.cc
index f1a4d7f..3778286 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -1320,28 +1320,33 @@ int main(int argc, char *argv[])
 
                 /* Antenna pattern files have the same basic name as the output file
                  * but with a different extension. If they exist, load them now */
-                if( (az_filename = (char*) calloc(strlen(argv[z]) + strlen(AZ_FILE_SUFFIX) + 1, sizeof(char))) == NULL )
-                    return ENOMEM;
-
-                strncpy(mapfile, argv[z], 253);
-                strncpy(tx_site[0].name, "Tx", 2);
-                strncpy(tx_site[0].filename, argv[z], 253);
-
-                if (antenna_file[0] != '\0')
-                        strcpy(az_filename, antenna_file);
-                else
-                        strcpy(az_filename, argv[z]);
-                strcat(az_filename, AZ_FILE_SUFFIX);
-
-                if( (el_filename = (char*) calloc(strlen(argv[z]) + strlen(EL_FILE_SUFFIX) + 1, sizeof(char))) == NULL ){
+                size_t base_len = strlen(argv[z]);
+                if(base_len >= sizeof(mapfile)){
+                    spdlog::error("Output name too long (max {} chars)", sizeof(mapfile)-2);
+                    exit(1);
+                }
+                // Copy base name into mapfile and tx_site structures
+                strncpy(mapfile, argv[z], sizeof(mapfile)-1);
+                mapfile[sizeof(mapfile)-1] = '\0';
+                strncpy(tx_site[0].name, "Tx", sizeof(tx_site[0].name)-1);
+                tx_site[0].name[sizeof(tx_site[0].name)-1] = '\0';
+                strncpy(tx_site[0].filename, argv[z], sizeof(tx_site[0].filename)-1);
+                tx_site[0].filename[sizeof(tx_site[0].filename)-1] = '\0';
+
+                const char *az_base = (antenna_file[0] != '\0') ? antenna_file : argv[z];
+                const char *el_base = az_base; // same logic
+                size_t az_needed = strlen(az_base) + strlen(AZ_FILE_SUFFIX) + 1;
+                size_t el_needed = strlen(el_base) + strlen(EL_FILE_SUFFIX) + 1;
+
+                az_filename = (char*)calloc(az_needed, sizeof(char));
+                if(az_filename == NULL) return ENOMEM;
+                el_filename = (char*)calloc(el_needed, sizeof(char));
+                if(el_filename == NULL){
                     free(az_filename);
                     return ENOMEM;
                 }
-                if (antenna_file[0] != '\0')
-                        strcpy(el_filename, antenna_file);
-                else
-                        strcpy(el_filename, argv[z]);
-                strcat(el_filename, EL_FILE_SUFFIX);
+                snprintf(az_filename, az_needed, "%s%s", az_base, AZ_FILE_SUFFIX);
+                snprintf(el_filename, el_needed, "%s%s", el_base, EL_FILE_SUFFIX);
 
                 if( (result = LoadPAT(az_filename,el_filename)) != 0 ){
                     spdlog::error("Permissions error reading antenna pattern file");
@@ -1355,7 +1360,8 @@ int main(int argc, char *argv[])
                 /* Handle writing image data to stdout */
                 to_stdout = true;
                 mapfile[0] = '\0';
-                strncpy(tx_site[0].name, "Tx", 2);
+                strncpy(tx_site[0].name, "Tx", sizeof(tx_site[0].name)-1);
+                tx_site[0].name[sizeof(tx_site[0].name)-1] = '\0';
                 tx_site[0].filename[0] = '\0';
                 spdlog::error("Writing data to stdout");
             }