[Mplayer-cvslog] CVS: main/Gui/mplayer common.c,1.3,1.4

D Richard Felker III dalias at aerifal.cx
Thu Jun 3 07:37:51 CEST 2004


On Wed, Jun 02, 2004 at 02:40:44PM +0200, Diego Biurrun CVS wrote:
> CVS change done by Diego Biurrun CVS
> 
> Update of /cvsroot/mplayer/main/Gui/mplayer
> In directory mail:/var2/tmp/cvs-serv16155/Gui/mplayer
> 
> Modified Files:
> 	common.c 
> Log Message:
> Buffer overflow fix in string handling, patch by c0ntex, approved by .so.
> 
> 
> Index: common.c
> ===================================================================
> RCS file: /cvsroot/mplayer/main/Gui/mplayer/common.c,v
> retrieving revision 1.3
> retrieving revision 1.4
> diff -u -r1.3 -r1.4
> --- common.c	20 Mar 2003 12:42:09 -0000	1.3
> +++ common.c	2 Jun 2004 12:40:41 -0000	1.4
> @@ -43,8 +43,8 @@
>     case STREAMTYPE_FILE:
>            if ( ( guiIntfStruct.Filename )&&( guiIntfStruct.Filename[0] ) )
>             {
> -	    if ( strrchr( guiIntfStruct.Filename,'/' ) ) strcpy( tmp,strrchr( guiIntfStruct.Filename,'/' ) + 1 );
> -	     else strcpy( tmp,guiIntfStruct.Filename );
> +	    if ( strrchr( guiIntfStruct.Filename,'/' ) ) strncpy( tmp,strrchr( guiIntfStruct.Filename,'/' ) + 1, 511 );
> +	     else strncpy( tmp,guiIntfStruct.Filename , 511);
>              if ( tmp[strlen( tmp ) - 4] == '.' ) tmp[strlen( tmp ) - 4]=0;
>              if ( tmp[strlen( tmp ) - 5] == '.' ) tmp[strlen( tmp ) - 5]=0;
>             } else strcpy( tmp,MSGTR_NoFileLoaded );

While this fixes the one overflow reported by c0ntex, you should be
aware that more remain, and that this fix might leave string buffers
unterminated in some cases. The code is so obfuscated it's hard to
tell, though. In any case, the whole module (common.c) is full of
buggy vulnerable code.

Rich




More information about the MPlayer-cvslog mailing list