From 42b784ac1a0c71e7d494db68ff700101461f840f Mon Sep 17 00:00:00 2001 From: diego Date: Fri, 25 Jun 2004 16:49:53 +0000 Subject: string handling security fixes patch by Nicholas Kain, Alexander Strasser reviewed by Pontscho, Alex, Rich git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@12647 b3059339-0415-0410-9bf9-f77b7e298cf2 --- Gui/interface.c | 8 +++- Gui/mplayer/common.c | 107 +++++++++++++++++++++++++++++++-------------------- Gui/skin/font.c | 7 ++-- Gui/skin/skin.c | 27 +++++++------ 4 files changed, 91 insertions(+), 58 deletions(-) (limited to 'Gui') diff --git a/Gui/interface.c b/Gui/interface.c index 8778002c05..52c0ab3168 100644 --- a/Gui/interface.c +++ b/Gui/interface.c @@ -54,8 +54,12 @@ char * gstrcat( char ** dest,char * src ) if ( *dest ) { tmp=malloc( strlen( *dest ) + strlen( src ) + 1 ); - strcpy( tmp,*dest ); strcat( tmp,src ); free( *dest ); - } + + if ( tmp ) /* TODO: advanced error handling */ + { + strcpy( tmp,*dest ); strcat( tmp,src ); free( *dest ); + } + } else { tmp=malloc( strlen( src ) + 1 ); strcpy( tmp,src ); } *dest=tmp; diff --git a/Gui/mplayer/common.c b/Gui/mplayer/common.c index 861227abf1..d206b4d27c 100644 --- a/Gui/mplayer/common.c +++ b/Gui/mplayer/common.c @@ -32,35 +32,39 @@ extern unsigned int GetTimerMS( void ); -inline void TranslateFilename( int c,char * tmp ) +inline void TranslateFilename( int c,char * tmp,size_t tmplen ) { int i; + char * p; + switch ( guiIntfStruct.StreamType ) { case STREAMTYPE_STREAM: - strcpy( tmp,guiIntfStruct.Filename ); + strlcpy(tmp, guiIntfStruct.Filename, tmplen); break; case STREAMTYPE_FILE: if ( ( guiIntfStruct.Filename )&&( guiIntfStruct.Filename[0] ) ) { - if ( strrchr( guiIntfStruct.Filename,'/' ) ) strncpy( tmp,strrchr( guiIntfStruct.Filename,'/' ) + 1, 511 ); - else strncpy( tmp,guiIntfStruct.Filename , 511); + if ( p = strrchr(guiIntfStruct.Filename, '/') ) + strlcpy(tmp, p + 1, tmplen); + else + strlcpy(tmp, guiIntfStruct.Filename, tmplen); if ( tmp[strlen( tmp ) - 4] == '.' ) tmp[strlen( tmp ) - 4]=0; if ( tmp[strlen( tmp ) - 5] == '.' ) tmp[strlen( tmp ) - 5]=0; - } else strcpy( tmp,MSGTR_NoFileLoaded ); + } else strlcpy( tmp,MSGTR_NoFileLoaded,tmplen ); break; #ifdef USE_DVDREAD case STREAMTYPE_DVD: - if ( guiIntfStruct.DVD.current_chapter ) sprintf( tmp,MSGTR_Chapter,guiIntfStruct.DVD.current_chapter ); - else strcat( tmp,MSGTR_NoChapter ); + if ( guiIntfStruct.DVD.current_chapter ) snprintf(tmp,tmplen,MSGTR_Chapter,guiIntfStruct.DVD.current_chapter ); + else strlcat( tmp,MSGTR_NoChapter,tmplen ); break; #endif #ifdef HAVE_VCD case STREAMTYPE_VCD: - sprintf( tmp,MSGTR_VCDTrack,guiIntfStruct.Track ); + snprintf( tmp,tmplen,MSGTR_VCDTrack,guiIntfStruct.Track ); break; #endif - default: strcpy( tmp,MSGTR_NoMediaOpened ); + default: strlcpy( tmp,MSGTR_NoMediaOpened,tmplen ); } if ( c ) { @@ -74,75 +78,94 @@ inline void TranslateFilename( int c,char * tmp ) } } +/* Unsafe! Pass only null-terminated strings as (char *)str. */ char * Translate( char * str ) { static char trbuf[512]; char tmp[512]; int i,c; int t; + int strsize = 0; memset( trbuf,0,512 ); memset( tmp,0,128 ); - for ( c=0,i=0;i < (int)strlen( str );i++ ) + strsize = strlen(str); + for ( c=0,i=0;i < strsize;i++ ) { if ( str[i] != '$' ) { trbuf[c++]=str[i]; trbuf[c]=0; } else { switch ( str[++i] ) { - case 't': sprintf( tmp,"%02d",guiIntfStruct.Track ); strcat( trbuf,tmp ); break; - case 'o': TranslateFilename( 0,tmp ); strcat( trbuf,tmp ); break; - case 'f': TranslateFilename( 1,tmp ); strcat( trbuf,tmp ); break; - case 'F': TranslateFilename( 2,tmp ); strcat( trbuf,tmp ); break; + case 't': snprintf( tmp,sizeof( tmp ),"%02d",guiIntfStruct.Track ); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; + case 'o': TranslateFilename( 0,tmp,sizeof( tmp ) ); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; + case 'f': TranslateFilename( 1,tmp,sizeof( tmp ) ); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; + case 'F': TranslateFilename( 2,tmp,sizeof( tmp ) ); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; case '6': t=guiIntfStruct.LengthInSec; goto calclengthhhmmss; case '1': t=guiIntfStruct.TimeSec; calclengthhhmmss: - sprintf( tmp,"%02d:%02d:%02d",t/3600,t/60%60,t%60 ); strcat( trbuf,tmp ); + snprintf( tmp,sizeof( tmp ),"%02d:%02d:%02d",t/3600,t/60%60,t%60 ); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; case '7': t=guiIntfStruct.LengthInSec; goto calclengthmmmmss; case '2': t=guiIntfStruct.TimeSec; calclengthmmmmss: - sprintf( tmp,"%04d:%02d",t/60,t%60 ); strcat( trbuf,tmp ); + snprintf( tmp,sizeof( tmp ),"%04d:%02d",t/60,t%60 ); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; - case '3': sprintf( tmp,"%02d",guiIntfStruct.TimeSec / 3600 ); strcat( trbuf,tmp ); break; - case '4': sprintf( tmp,"%02d",( ( guiIntfStruct.TimeSec / 60 ) % 60 ) ); strcat( trbuf,tmp ); break; - case '5': sprintf( tmp,"%02d",guiIntfStruct.TimeSec % 60 ); strcat( trbuf,tmp ); break; - case '8': sprintf( tmp,"%01d:%02d:%02d",guiIntfStruct.TimeSec / 3600,( guiIntfStruct.TimeSec / 60 ) % 60,guiIntfStruct.TimeSec % 60 ); strcat( trbuf,tmp ); break; - case 'v': sprintf( tmp,"%3.2f%%",guiIntfStruct.Volume ); strcat( trbuf,tmp ); break; - case 'V': sprintf( tmp,"%3.1f",guiIntfStruct.Volume ); strcat( trbuf,tmp ); break; - case 'b': sprintf( tmp,"%3.2f%%",guiIntfStruct.Balance ); strcat( trbuf,tmp ); break; - case 'B': sprintf( tmp,"%3.1f",guiIntfStruct.Balance ); strcat( trbuf,tmp ); break; - case 'd': sprintf( tmp,"%d",guiIntfStruct.FrameDrop ); strcat( trbuf,tmp ); break; - case 'x': sprintf( tmp,"%d",guiIntfStruct.MovieWidth ); strcat( trbuf,tmp ); break; - case 'y': sprintf( tmp,"%d",guiIntfStruct.MovieHeight ); strcat( trbuf,tmp ); break; - case 'C': sprintf( tmp,"%s", guiIntfStruct.sh_video? ((sh_video_t *)guiIntfStruct.sh_video)->codec->name : ""); - strcat( trbuf,tmp ); break; - case 's': if ( guiIntfStruct.Playing == 0 ) strcat( trbuf,"s" ); break; - case 'l': if ( guiIntfStruct.Playing == 1 ) strcat( trbuf,"p" ); break; - case 'e': if ( guiIntfStruct.Playing == 2 ) strcat( trbuf,"e" ); break; + case '3': snprintf( tmp,sizeof( tmp ),"%02d",guiIntfStruct.TimeSec / 3600 ); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; + case '4': snprintf( tmp,sizeof( tmp ),"%02d",( ( guiIntfStruct.TimeSec / 60 ) % 60 ) ); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; + case '5': snprintf( tmp,sizeof( tmp ),"%02d",guiIntfStruct.TimeSec % 60 ); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; + case '8': snprintf( tmp,sizeof( tmp ),"%01d:%02d:%02d",guiIntfStruct.TimeSec / 3600,( guiIntfStruct.TimeSec / 60 ) % 60,guiIntfStruct.TimeSec % 60 ); strlcat( trbuf,tmp,sizeof( trbuf ) ); break; + case 'v': snprintf( tmp,sizeof( tmp ),"%3.2f%%",guiIntfStruct.Volume ); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; + case 'V': snprintf( tmp,sizeof( tmp ),"%3.1f",guiIntfStruct.Volume ); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; + case 'b': snprintf( tmp,sizeof( tmp ),"%3.2f%%",guiIntfStruct.Balance ); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; + case 'B': snprintf( tmp,sizeof( tmp ),"%3.1f",guiIntfStruct.Balance ); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; + case 'd': snprintf( tmp,sizeof( tmp ),"%d",guiIntfStruct.FrameDrop ); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; + case 'x': snprintf( tmp,sizeof( tmp ),"%d",guiIntfStruct.MovieWidth ); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; + case 'y': snprintf( tmp,sizeof( tmp ),"%d",guiIntfStruct.MovieHeight ); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; + case 'C': snprintf( tmp,sizeof( tmp ),"%s", guiIntfStruct.sh_video? ((sh_video_t *)guiIntfStruct.sh_video)->codec->name : ""); + strlcat( trbuf,tmp,sizeof( trbuf ) ); break; + case 's': if ( guiIntfStruct.Playing == 0 ) strlcat( trbuf,"s",sizeof( trbuf ) ); break; + case 'l': if ( guiIntfStruct.Playing == 1 ) strlcat( trbuf,"p",sizeof( trbuf ) ); break; + case 'e': if ( guiIntfStruct.Playing == 2 ) strlcat( trbuf,"e",sizeof( trbuf ) ); break; case 'a': - if ( muted ) { strcat( trbuf,"n" ); break; } + if ( muted ) { strlcat( trbuf,"n",sizeof( trbuf ) ); break; } switch ( guiIntfStruct.AudioType ) { - case 0: strcat( trbuf,"n" ); break; - case 1: strcat( trbuf,"m" ); break; - case 2: strcat( trbuf,"t" ); break; + case 0: strlcat( trbuf,"n",sizeof( trbuf ) ); break; + case 1: strlcat( trbuf,"m",sizeof( trbuf ) ); break; + case 2: strlcat( trbuf,"t",sizeof( trbuf ) ); break; } break; case 'T': switch ( guiIntfStruct.StreamType ) { - case STREAMTYPE_FILE: strcat( trbuf,"f" ); break; + case STREAMTYPE_FILE: strlcat( trbuf,"f",sizeof( trbuf ) ); break; #ifdef HAVE_VCD - case STREAMTYPE_VCD: strcat( trbuf,"v" ); break; + case STREAMTYPE_VCD: strlcat( trbuf,"v",sizeof( trbuf ) ); break; #endif - case STREAMTYPE_STREAM: strcat( trbuf,"u" ); break; + case STREAMTYPE_STREAM: strlcat( trbuf,"u",sizeof( trbuf ) ); break; #ifdef USE_DVDREAD - case STREAMTYPE_DVD: strcat( trbuf,"d" ); break; + case STREAMTYPE_DVD: strlcat( trbuf,"d",sizeof( trbuf ) ); break; #endif - default: strcat( trbuf," " ); break; + default: strlcat( trbuf," ",sizeof( trbuf ) ); break; } break; - case '$': strcat( trbuf,"$" ); break; + case '$': strlcat( trbuf,"$",sizeof( trbuf ) ); break; default: continue; } c=strlen( trbuf ); diff --git a/Gui/skin/font.c b/Gui/skin/font.c index 14ff3fcece..4ee6dfd85c 100644 --- a/Gui/skin/font.c +++ b/Gui/skin/font.c @@ -27,7 +27,7 @@ int fntAddNewFont( char * name ) if ( ( Fonts[id]=calloc( 1,sizeof( bmpFont ) ) ) == NULL ) return -1; - strcpy( Fonts[id]->name,name ); + strlcpy( Fonts[id]->name,name,128 ); // FIXME: as defined in font.h for ( i=0;i<256;i++ ) Fonts[id]->Fnt[i].x=Fonts[id]->Fnt[i].y=Fonts[id]->Fnt[i].sx=Fonts[id]->Fnt[i].sy=-1; @@ -60,7 +60,8 @@ int fntRead( char * path,char * fname ) if ( id < 0 ) return id; - strcpy( tmp,path ); strcat( tmp,fname ); strcat( tmp,".fnt" ); + strlcpy( tmp,path,sizeof( tmp ) ); + strlcat( tmp,fname,sizeof( tmp ) ); strlcat( tmp,".fnt",sizeof( tmp ) ); if ( ( f=fopen( tmp,"rt" ) ) == NULL ) { free( Fonts[id] ); return -3; } @@ -93,7 +94,7 @@ int fntRead( char * path,char * fname ) { if ( !strcmp( command,"image" ) ) { - strcpy( tmp,path ); strcat( tmp,param ); + strlcpy( tmp,path,sizeof( tmp ) ); strlcat( tmp,param,sizeof( tmp ) ); mp_dbg( MSGT_GPLAYER,MSGL_DBG2,"[font] font imagefile: %s\n",tmp ); if ( skinBPRead( tmp,&Fonts[id]->Bitmap ) ) return -4; } diff --git a/Gui/skin/skin.c b/Gui/skin/skin.c index cfd1ff5f3f..3fa2cfe966 100644 --- a/Gui/skin/skin.c +++ b/Gui/skin/skin.c @@ -116,7 +116,7 @@ int cmd_window( char * in ) { CHECKDEFLIST( "window" ); - strcpy( window_name,strlower( in ) ); + strlcpy( window_name,strlower( in ),sizeof( window_name ) ); if ( !strncmp( in,"main",4 ) ) { currSection=&skinAppMPlayer->main; currSubItem=&skinAppMPlayer->NumberOfItems; currSubItems=skinAppMPlayer->Items; } else if ( !strncmp( in,"sub",3 ) ) currSection=&skinAppMPlayer->sub; else if ( !strncmp( in,"playbar",7 ) ) { currSection=&skinAppMPlayer->bar; currSubItem=&skinAppMPlayer->NumberOfBarItems; currSubItems=skinAppMPlayer->barItems; } @@ -147,7 +147,7 @@ int cmd_base( char * in ) defList->main.x=x; defList->main.y=y; defList->main.type=itBase; - strcpy( tmp,path ); strcat( tmp,fname ); + strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, fname, sizeof( tmp )); if ( skinBPRead( tmp,&defList->main.Bitmap ) ) return 1; defList->main.width=defList->main.Bitmap.Width; defList->main.height=defList->main.Bitmap.Height; @@ -162,7 +162,7 @@ int cmd_base( char * in ) if ( !strcmp( window_name,"sub" ) ) { defList->sub.type=itBase; - strcpy( tmp,path ); strcat( tmp,fname ); + strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, fname, sizeof( tmp )); if ( skinBPRead( tmp,&defList->sub.Bitmap ) ) return 1; defList->sub.x=x; defList->sub.y=y; @@ -179,7 +179,7 @@ int cmd_base( char * in ) { defList->menuIsPresent=1; defList->menuBase.type=itBase; - strcpy( tmp,path ); strcat( tmp,fname ); + strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, fname, sizeof( tmp )); if ( skinBPRead( tmp,&defList->menuBase.Bitmap ) ) return 1; defList->menuBase.width=defList->menuBase.Bitmap.Width; defList->menuBase.height=defList->menuBase.Bitmap.Height; @@ -197,7 +197,7 @@ int cmd_base( char * in ) defList->bar.x=x; defList->bar.y=y; defList->bar.type=itBase; - strcpy( tmp,path ); strcat( tmp,fname ); + strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, fname, sizeof( tmp )); if ( skinBPRead( tmp,&defList->bar.Bitmap ) ) return 1; defList->bar.width=defList->bar.Bitmap.Width; defList->bar.height=defList->bar.Bitmap.Height; @@ -268,7 +268,7 @@ int cmd_button( char * in ) currSubItems[ *currSubItem ].Bitmap.Image=NULL; if ( strcmp( fname,"NULL" ) ) { - strcpy( tmp,path ); strcat( tmp,fname ); + strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, fname, sizeof( tmp )); if ( skinBPRead( tmp,&currSubItems[ *currSubItem ].Bitmap ) ) return 1; } @@ -289,7 +289,7 @@ int cmd_selected( char * in ) cutItem( in,fname,',',0 ); defList->menuSelected.type=itBase; - strcpy( tmp,path ); strcat( tmp,fname ); + strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, fname, sizeof( tmp )); mp_dbg( MSGT_GPLAYER,MSGL_DBG2,"\n[skin] selected: %s\n",fname ); if ( skinBPRead( tmp,&defList->menuSelected.Bitmap ) ) return 1; defList->menuSelected.width=defList->menuSelected.Bitmap.Width; @@ -381,14 +381,14 @@ int cmd_hpotmeter( char * in ) item->Bitmap.Image=NULL; if ( strcmp( phfname,"NULL" ) ) { - strcpy( tmp,path ); strcat( tmp,phfname ); + strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, phfname, sizeof( tmp )); if ( skinBPRead( tmp,&item->Bitmap ) ) return 1; } item->Mask.Image=NULL; if ( strcmp( pfname,"NULL" ) ) { - strcpy( tmp,path ); strcat( tmp,pfname ); + strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, pfname, sizeof( tmp )); if ( skinBPRead( tmp,&item->Mask ) ) return 1; } return 0; @@ -445,7 +445,7 @@ int cmd_potmeter( char * in ) item->Bitmap.Image=NULL; if ( strcmp( phfname,"NULL" ) ) { - strcpy( tmp,path ); strcat( tmp,phfname ); + strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, phfname, sizeof( tmp )); if ( skinBPRead( tmp,&item->Bitmap ) ) return 1; } return 0; @@ -655,7 +655,12 @@ char * trim( char * in ) FILE * skinFile; void setname( char * item1, char * item2 ) -{ strcpy( fn,item1 ); strcat( fn,"/" ); strcat( fn,item2 ); strcpy( path,fn ); strcat( path,"/" ); strcat( fn,"/skin" ); } +{ + strlcpy(fn, item1, sizeof( fn )); + strlcat(fn, "/", sizeof( fn )); strlcat(fn, item2, sizeof( fn )); + strlcpy(path, fn, sizeof( path )); strlcat(path, "/", sizeof( path )); + strlcat(fn, "/skin", sizeof( fn )); +} int skinRead( char * dname ) { -- cgit v1.2.3