[MPlayer-cvslog] r25824 - trunk/stream/stream_cddb.c

Rich Felker dalias at aerifal.cx
Wed Jan 30 03:23:41 CET 2008


On Sun, Jan 20, 2008 at 04:24:16PM -0500, Rich Felker wrote:
> On Sun, Jan 20, 2008 at 09:58:02PM +0100, rtogni wrote:
> > Author: rtogni
> > Date: Sun Jan 20 21:58:02 2008
> > New Revision: 25824
> > 
> > Log:
> > Prevent possible buffer overflow on album_title[]
> > Bassed on a patch by Adam Bozanich abozanich musecurity com
> > 
> > 
> > Modified:
> >    trunk/stream/stream_cddb.c
> > 
> > Modified: trunk/stream/stream_cddb.c
> > ==============================================================================
> > --- trunk/stream/stream_cddb.c	(original)
> > +++ trunk/stream/stream_cddb.c	Sun Jan 20 21:58:02 2008
> > @@ -58,6 +58,7 @@
> >  #include "version.h"
> >  #include "stream.h"
> >  #include "network.h"
> > +#include "libavutil/intreadwrite.h"
> >  
> >  #define DEFAULT_FREEDB_SERVER	"freedb.freedb.org"
> >  #define DEFAULT_CACHE_DIR	"/.cddb/"
> > @@ -503,8 +504,9 @@ cddb_parse_matches_list(HTTP_header_t *h
> >  		} else {
> >  			len = ptr2-ptr+1;
> >  		}
> > +		len = FFMIN(sizeof(album_title) - 1, len);
> >  		strncpy(album_title, ptr, len);
> > -		album_title[len-2]='\0';
> > +		album_title[len]='\0';
> 
> This is just a nasty workaround for misuse of strncpy. Use strlcpy
> (av_strlcpy?) or even snprintf instead...

Try this:

snprintf(album_title, sizeof(album_title), "%.*s", len, ptr);

This conveys the intended semantics in one concise line: generate a
string from the first len (or fewer) bytes at ptr and store it in
album_title, which has a max size of sizeof(album_title) bytes.

Rich



More information about the MPlayer-cvslog mailing list