[MPlayer-cvslog] r23481 - branches/1.0rc1/stream/stream_cddb.c

[rtogni]

Author: rtogni
Date: Tue Jun  5 22:57:14 2007
New Revision: 23481

Log:
Avoiding sscanf in cddb support reading more data with %s than buffer 
size
Sceurity fix backported from r23470


Modified:
   branches/1.0rc1/stream/stream_cddb.c

Modified: branches/1.0rc1/stream/stream_cddb.c
==============================================================================
--- branches/1.0rc1/stream/stream_cddb.c	(original)
+++ branches/1.0rc1/stream/stream_cddb.c	Tue Jun  5 22:57:14 2007
@@ -435,7 +435,7 @@ cddb_read_parse(HTTP_header_t *http_hdr,
 
 	switch(status) {
 		case 210:
-			ret = sscanf( http_hdr->body, "%d %s %08lx", &status, category, &disc_id);
+			ret = sscanf( http_hdr->body, "%d %99s %08lx", &status, category, &disc_id);
 			if( ret!=3 ) {
 				mp_msg(MSGT_DEMUX, MSGL_ERR, MSGTR_ParseError);
 				return -1;
@@ -496,7 +496,7 @@ cddb_parse_matches_list(HTTP_header_t *h
 	ptr++;
 	// We have a list of exact/inexact matches, so which one do we use?
 	// So let's take the first one.
-	ret = sscanf(ptr, "%s %08lx %s", cddb_data->category, &(cddb_data->disc_id), album_title);
+	ret = sscanf(ptr, "%99s %08lx %99s", cddb_data->category, &(cddb_data->disc_id), album_title);
 	if( ret!=3 ) {
 		mp_msg(MSGT_DEMUX, MSGL_ERR, MSGTR_ParseError);
 		return -1;
@@ -533,7 +533,7 @@ cddb_query_parse(HTTP_header_t *http_hdr
 	switch(status) {
 		case 200:
 			// Found exact match
-			ret = sscanf(http_hdr->body, "%d %s %08lx %s", &status, cddb_data->category, &(cddb_data->disc_id), album_title);
+			ret = sscanf(http_hdr->body, "%d %99s %08lx %99s", &status, cddb_data->category, &(cddb_data->disc_id), album_title);
 			if( ret!=4 ) {
 				mp_msg(MSGT_DEMUX, MSGL_ERR, MSGTR_ParseError);
 				return -1;