From 42b784ac1a0c71e7d494db68ff700101461f840f Mon Sep 17 00:00:00 2001
From: diego <diego@b3059339-0415-0410-9bf9-f77b7e298cf2>
Date: Fri, 25 Jun 2004 16:49:53 +0000
Subject: string handling security fixes patch by Nicholas Kain, Alexander
 Strasser <eclipse7@gmx.net> reviewed by Pontscho, Alex, Rich

git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@12647 b3059339-0415-0410-9bf9-f77b7e298cf2
---
 libmpdemux/cue_read.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

(limited to 'libmpdemux/cue_read.c')

diff --git a/libmpdemux/cue_read.c b/libmpdemux/cue_read.c
index ae43a789b2..11e4213b02 100644
--- a/libmpdemux/cue_read.c
+++ b/libmpdemux/cue_read.c
@@ -135,6 +135,10 @@ int cue_getTrackinfo(char *Line, tTrack *track)
 
 
 
+/* FIXME: the string operations ( strcpy,strcat ) below depend
+ * on the arrays to have the same size, thus we need to make
+ * sure the sizes are in sync.
+ */
 int cue_find_bin (char *firstline) {
   int i,j;
   char s[256];
@@ -178,7 +182,7 @@ int cue_find_bin (char *firstline) {
            bin_filename);
 
     /* now try to find it with the path of the cue file */
-    sprintf(s,"%s/%s",bincue_path, bin_filename);
+    snprintf(s,sizeof( s ),"%s/%s",bincue_path,bin_filename);
     fd_bin = open (s, O_RDONLY);
     if (fd_bin == -1)
     {
@@ -195,7 +199,7 @@ int cue_find_bin (char *firstline) {
                "[bincue] bin filename tested: %s\n", s);
 
         /* ok try it with path */
-        sprintf(t,"%s/%s",bincue_path, s);
+        snprintf(t, sizeof( t ), "%s/%s", bincue_path, s);
         fd_bin = open (t, O_RDONLY);
         if (fd_bin == -1)
         {
@@ -211,7 +215,7 @@ int cue_find_bin (char *firstline) {
             mp_msg(MSGT_OPEN,MSGL_STATUS,
                    "[bincue] bin filename tested: %s \n", s);
             /* ok try it with path */
-            sprintf(t,"%s/%s",bincue_path, s);
+            snprintf(t, sizeof( t ), "%s/%s", bincue_path, s);
             fd_bin = open (t, O_RDONLY);
             if (fd_bin == -1)
             {
@@ -299,15 +303,16 @@ int cue_read_cue (char *in_cue_filename)
        strcpy(t, "/");
   }
   printf ("dirname: %s\n", t);
-  strcpy(bincue_path,t);
+  strlcpy(bincue_path,t,sizeof( bincue_path ));
 
 
   /* no path at all? */
   if (strcmp(bincue_path, ".") == 0) {
     printf ("bincue_path: %s\n", bincue_path);
-    strcpy(cue_filename,in_cue_filename);
+    strlcpy(cue_filename,in_cue_filename,sizeof( cue_filename ));
   } else {
-    strcpy(cue_filename,in_cue_filename + strlen(bincue_path) + 1);
+    strlcpy(cue_filename,in_cue_filename + strlen(bincue_path) + 1,
+            sizeof( cue_filename ));
   }
 
 
-- 
cgit v1.2.3