From 44d513f0145476769ce310a7bc3888c32bfc62e6 Mon Sep 17 00:00:00 2001 From: Michael Roitzsch Date: Sun, 25 Jul 2004 17:11:59 +0000 Subject: protect some buffers to be on the safe side (some of them might be hard to overflow, but it could be possible) input_cdda contains the copy&paste bug of filling the buffer to its end and then appending yet another character CVS patchset: 6848 CVS date: 2004/07/25 17:11:59 --- src/input/input_cdda.c | 32 ++++++++++++++++---------------- src/input/input_file.c | 10 +++++----- src/input/input_pvr.c | 28 +++++++++++++++++----------- src/input/mms.c | 11 +++++------ 4 files changed, 43 insertions(+), 38 deletions(-) diff --git a/src/input/input_cdda.c b/src/input/input_cdda.c index 833f3b025..2f5638db6 100644 --- a/src/input/input_cdda.c +++ b/src/input/input_cdda.c @@ -20,7 +20,7 @@ * Compact Disc Digital Audio (CDDA) Input Plugin * by Mike Melanson (melanson@pcisys.net) * - * $Id: input_cdda.c,v 1.61 2004/07/20 00:50:10 rockyb Exp $ + * $Id: input_cdda.c,v 1.62 2004/07/25 17:11:59 mroi Exp $ */ #ifdef HAVE_CONFIG_H @@ -901,7 +901,7 @@ static int network_command( xine_stream_t *stream, int socket, char *data_buf, c int ret, n; va_start(args, msg); - vsnprintf(buf, _BUFSIZ, msg, args); + vsnprintf(buf, _BUFSIZ - 1, msg, args); va_end(args); /* Each line sent is '\n' terminated */ @@ -1175,7 +1175,7 @@ static void _cdda_mkdir_safe(xine_t *xine, char *path) { #else { HANDLE hList; - TCHAR szDir[MAX_PATH+1]; + TCHAR szDir[MAX_PATH+3]; WIN32_FIND_DATA FileData; // Get the proper directory path @@ -1210,7 +1210,7 @@ static void _cdda_mkdir_recursive_safe(xine_t *xine, char *path) { memset(&buf, 0, sizeof(buf)); memset(&buf2, 0, sizeof(buf2)); - sprintf(buf, "%s", path); + snprintf(buf, sizeof(buf), "%s", path); pp = buf; while((p = xine_strsep(&pp, "/")) != NULL) { if(p && strlen(p)) { @@ -1219,12 +1219,12 @@ static void _cdda_mkdir_recursive_safe(xine_t *xine, char *path) { if (*buf2 != '\0') { #endif - sprintf(buf2, "%s/%s", buf2, p); + snprintf(buf2, sizeof(buf2), "%s/%s", buf2, p); #ifdef WIN32 } else { - sprintf(buf2, "%s", p); + snprintf(buf2, sizeof(buf2), "%s", p); } #endif /* WIN32 */ @@ -1241,7 +1241,7 @@ static char *_cdda_cddb_get_default_location(void) { static char buf[XINE_PATH_MAX + XINE_NAME_MAX + 1]; memset(&buf, 0, sizeof(buf)); - sprintf(buf, "%s/.xine/cddbcache", (xine_get_homedir())); + snprintf(buf, sizeof(buf), "%s/.xine/cddbcache", (xine_get_homedir())); return buf; } @@ -1345,7 +1345,7 @@ static int _cdda_load_cached_cddb_infos(cdda_input_plugin_t *this) { return 0; memset(&cdir, 0, sizeof(cdir)); - sprintf(cdir, "%s", this->cddb.cache_dir); + snprintf(cdir, sizeof(cdir), "%s", this->cddb.cache_dir); if((dir = opendir(cdir)) != NULL) { struct dirent *pdir; @@ -1354,12 +1354,12 @@ static int _cdda_load_cached_cddb_infos(cdda_input_plugin_t *this) { char discid[9]; memset(&discid, 0, sizeof(discid)); - sprintf(discid, "%08lx", this->cddb.disc_id); + snprintf(discid, sizeof(discid), "%08lx", this->cddb.disc_id); if(!strcasecmp(pdir->d_name, discid)) { FILE *fd; - sprintf(cdir, "%s/%s", cdir, discid); + snprintf(cdir, sizeof(cdir), "%s/%s", cdir, discid); if((fd = fopen(cdir, "r")) == NULL) { xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, "input_cdda: fopen(%s) failed: %s.\n", cdir, strerror(errno)); @@ -1448,11 +1448,11 @@ static void _cdda_save_cached_cddb_infos(cdda_input_plugin_t *this, char *fileco memset(&cfile, 0, sizeof(cfile)); /* Ensure "~/.xine/cddbcache" exist */ - sprintf(cfile, "%s", this->cddb.cache_dir); + snprintf(cfile, sizeof(cfile), "%s", this->cddb.cache_dir); _cdda_mkdir_recursive_safe(this->stream->xine, cfile); - sprintf(cfile, "%s/%08lx", this->cddb.cache_dir, this->cddb.disc_id); + snprintf(cfile, sizeof(cfile), "%s/%08lx", this->cddb.cache_dir, this->cddb.disc_id); if((fd = fopen(cfile, "w")) == NULL) { xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, @@ -1572,9 +1572,9 @@ static int _cdda_cddb_retrieve(cdda_input_plugin_t *this) { memset(&buffer, 0, sizeof(buffer)); sprintf(buffer, "cddb query %08lx %d ", this->cddb.disc_id, this->cddb.num_tracks); for (i = 0; i < this->cddb.num_tracks; i++) { - sprintf(buffer, "%s%d ", buffer, this->cddb.track[i].start); + snprintf(buffer, sizeof(buffer), "%s%d ", buffer, this->cddb.track[i].start); } - sprintf(buffer, "%s%d\n", buffer, this->cddb.disc_length); + snprintf(buffer, sizeof(buffer), "%s%d\n", buffer, this->cddb.disc_length); if ((err = _cdda_cddb_send_command(this, buffer)) <= 0) { xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, "input_cdda: error while sending cddb query command.\n"); @@ -1605,7 +1605,7 @@ static int _cdda_cddb_retrieve(cdda_input_plugin_t *this) { /* Send read command */ memset(&buffer, 0, sizeof(buffer)); - sprintf(buffer, "cddb read %s %s\n", this->cddb.disc_category, this->cddb.cdiscid); + snprintf(buffer, sizeof(buffer), "cddb read %s %s\n", this->cddb.disc_category, this->cddb.cdiscid); if ((err = _cdda_cddb_send_command(this, buffer)) <= 0) { xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, "input_cdda: error while sending cddb read command.\n"); @@ -1631,7 +1631,7 @@ static int _cdda_cddb_retrieve(cdda_input_plugin_t *this) { memset(&buffer, 0, sizeof(buffer)); _cdda_cddb_socket_read(this, buffer, sizeof(buffer) - 1); - sprintf(buffercache, "%s%s\n", buffercache, buffer); + snprintf(buffercache, sizeof(buffercache), "%s%s\n", buffercache, buffer); if (sscanf(buffer, "DTITLE=%s", &buf[0]) == 1) { char *pt, *artist, *title; diff --git a/src/input/input_file.c b/src/input/input_file.c index 0a4390c84..2aff36717 100644 --- a/src/input/input_file.c +++ b/src/input/input_file.c @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA * - * $Id: input_file.c,v 1.94 2004/07/20 00:50:11 rockyb Exp $ + * $Id: input_file.c,v 1.95 2004/07/25 17:11:59 mroi Exp $ */ #ifdef HAVE_CONFIG_H @@ -452,7 +452,7 @@ static uint32_t get_file_type(char *filepathname, char *origin, xine_t *xine) { char buf[XINE_PATH_MAX + XINE_NAME_MAX + 1]; if((lstat(filepathname, &pstat)) < 0) { - sprintf(buf, "%s/%s", origin, filepathname); + snprintf(buf, sizeof(buf), "%s/%s", origin, filepathname); if((lstat(buf, &pstat)) < 0) { lprintf ("lstat failed for %s{%s}\n", filepathname, origin); file_type |= mrl_unknown; @@ -498,7 +498,7 @@ static off_t get_file_size(char *filepathname, char *origin) { char buf[XINE_PATH_MAX + XINE_NAME_MAX + 1]; if((lstat(filepathname, &pstat)) < 0) { - sprintf(buf, "%s/%s", origin, filepathname); + snprintf(buf, sizeof(buf), "%s/%s", origin, filepathname); if((lstat(buf, &pstat)) < 0) return (off_t) 0; } @@ -556,7 +556,7 @@ static xine_mrl_t **file_class_get_dir (input_class_t *this_gen, this->config->update_string(this->config, "input.file_origin_path", current_dir); if(strcasecmp(current_dir, "/")) - sprintf(current_dir_slashed, "%s/", current_dir); + snprintf(current_dir_slashed, sizeof(current_dir_slashed), "%s/", current_dir); else sprintf(current_dir_slashed, "/"); @@ -582,7 +582,7 @@ static xine_mrl_t **file_class_get_dir (input_class_t *this_gen, while((pdirent = readdir(pdir)) != NULL) { memset(fullfilename, 0, sizeof(fullfilename)); - sprintf(fullfilename, "%s/%s", current_dir, pdirent->d_name); + snprintf(fullfilename, sizeof(fullfilename), "%s/%s", current_dir, pdirent->d_name); if(is_a_dir(fullfilename)) { diff --git a/src/input/input_pvr.c b/src/input/input_pvr.c index 25b069894..5c4a75fc3 100644 --- a/src/input/input_pvr.c +++ b/src/input/input_pvr.c @@ -38,7 +38,7 @@ * usage: * xine pvr:/\!\! * - * $Id: input_pvr.c,v 1.47 2004/07/20 00:50:11 rockyb Exp $ + * $Id: input_pvr.c,v 1.48 2004/07/25 17:11:59 mroi Exp $ */ /************************************************************************** @@ -512,9 +512,11 @@ static void pvr_adjust_realtime_speed(pvr_input_plugin_t *this, fifo_buffer_t *f static char *make_temp_name(pvr_input_plugin_t *this, int page) { char *filename; - filename = malloc(strlen(this->tmp_prefix)+PVR_FILENAME_SIZE); + + int size = strlen(this->tmp_prefix)+PVR_FILENAME_SIZE; + filename = malloc(size); - sprintf(filename, PVR_FILENAME, this->tmp_prefix, this->session, page); + snprintf(filename, size, PVR_FILENAME, this->tmp_prefix, this->session, page); return filename; } @@ -527,14 +529,15 @@ static char *make_base_save_name(int channel, time_t tm) { struct tm rec_time; char *filename; - filename = malloc(SAVE_BASE_FILENAME_SIZE); + int size = SAVE_BASE_FILENAME_SIZE; + filename = malloc(size); localtime_r(&tm, &rec_time); - sprintf(filename, SAVE_BASE_FILENAME, - channel, rec_time.tm_mon+1, rec_time.tm_mday, - rec_time.tm_year+1900, rec_time.tm_hour, rec_time.tm_min, - rec_time.tm_sec); + snprintf(filename, size, SAVE_BASE_FILENAME, + channel, rec_time.tm_mon+1, rec_time.tm_mday, + rec_time.tm_year+1900, rec_time.tm_hour, rec_time.tm_min, + rec_time.tm_sec); return filename; } @@ -544,9 +547,11 @@ static char *make_base_save_name(int channel, time_t tm) { static char *make_save_name(pvr_input_plugin_t *this, char *base, int page) { char *filename; - filename = malloc(strlen(this->save_prefix)+strlen(base)+SAVE_FILENAME_SIZE); + + int size = strlen(this->save_prefix)+strlen(base)+SAVE_FILENAME_SIZE; + filename = malloc(size); - sprintf(filename, SAVE_FILENAME, this->save_prefix, base, page); + snprintf(filename, size, SAVE_FILENAME, this->save_prefix, base, page); return filename; } @@ -938,7 +943,8 @@ static void pvr_finish_recording (pvr_input_plugin_t *this) { data.mode = 0; data.id = show->id; - strcpy(data.name, show->base_name); + strncpy(data.name, show->base_name, sizeof(data.name)); + data.name[sizeof(data.name) - 1] = '\0'; xine_event_send(this->stream, &event); } else { diff --git a/src/input/mms.c b/src/input/mms.c index a113f062e..1094c5b8e 100644 --- a/src/input/mms.c +++ b/src/input/mms.c @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA * - * $Id: mms.c,v 1.48 2004/04/15 22:10:55 tmattern Exp $ + * $Id: mms.c,v 1.49 2004/07/25 17:11:59 mroi Exp $ * * MMS over TCP protocol * based on work from major mms @@ -127,8 +127,6 @@ struct mms_s { char *scmd_body; /* pointer to &scmd[CMD_HEADER_LEN] */ int scmd_len; /* num bytes written in header */ - char str[1024]; /* scratch buffer to built strings */ - /* receive buffer */ uint8_t buf[BUF_SIZE]; int buf_size; @@ -820,6 +818,7 @@ mms_t *mms_connect (xine_stream_t *stream, const char *url, int bandwidth) { int url_conv = 0; #endif mms_t *this; + char str[1024]; int res; if (!url) @@ -872,11 +871,11 @@ mms_t *mms_connect (xine_stream_t *stream, const char *url, int bandwidth) { /* command 0x1 */ lprintf("send command 0x01\n"); mms_gen_guid(this->guid); - sprintf (this->str, "\x1c\x03NSPlayer/7.0.0.1956; {%s}; Host: %s", + snprintf (str, sizeof(str), "\x1c\x03NSPlayer/7.0.0.1956; {%s}; Host: %s", this->guid, this->host); - string_utf16 (url_conv, this->scmd_body, this->str, strlen(this->str) + 2); + string_utf16 (url_conv, this->scmd_body, str, strlen(str) + 2); - if (!send_command (this, 1, 0, 0x0004000b, strlen(this->str) * 2 + 8)) { + if (!send_command (this, 1, 0, 0x0004000b, strlen(str) * 2 + 8)) { xprintf(this->stream->xine, XINE_VERBOSITY_LOG, "libmms: failed to send command 0x01\n"); goto fail; -- cgit v1.2.3