diff options
author | ken <ken@FreeBSD.org> | 2001-02-07 20:19:53 +0000 |
---|---|---|
committer | ken <ken@FreeBSD.org> | 2001-02-07 20:19:53 +0000 |
commit | 1fc2fe2c6391adc64d2a7bbaf54627585fa1f305 (patch) | |
tree | db64b0904565f9bbab742aa0f8535bd82552e2ac /audio/tosha | |
parent | 7de75952d49146c8b546b5b955d1a8e06eeed490 (diff) | |
download | FreeBSD-ports-1fc2fe2c6391adc64d2a7bbaf54627585fa1f305.zip FreeBSD-ports-1fc2fe2c6391adc64d2a7bbaf54627585fa1f305.tar.gz |
Fix a core dump when doing 'tosha -i'. (Maintainer timeout after about two
months.)
The problem is in resolve_extension(). strncpy() will only null-terminate
the destination string if it has enough room, according to the given
length.
In this implementation, there will never be enough room to null-terminate
the string, from what I can tell. So if the memory in 'tmpstr' contains
non-nulls, you'll get a core-dump in the subsequent strcat().
Diffstat (limited to 'audio/tosha')
-rw-r--r-- | audio/tosha/files/patch-aa | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/audio/tosha/files/patch-aa b/audio/tosha/files/patch-aa new file mode 100644 index 0000000..6b13be7 --- /dev/null +++ b/audio/tosha/files/patch-aa @@ -0,0 +1,23 @@ +*** tosha.c.orig Fri Jan 1 16:57:49 1999 +--- tosha.c Sun Dec 10 01:04:54 2000 +*************** +*** 240,247 **** + return template; + if (!(tmpstr = malloc(strlen(template) + strlen(formatspec->ext) - 1))) + out_of_memory(); +! if ((prefix = cptr - template)) + strncpy (tmpstr, template, prefix); + strcat (tmpstr + prefix, formatspec->ext); + prefix += strlen(formatspec->ext); + strcat (tmpstr + prefix, cptr + 2); +--- 240,249 ---- + return template; + if (!(tmpstr = malloc(strlen(template) + strlen(formatspec->ext) - 1))) + out_of_memory(); +! if ((prefix = cptr - template)) { + strncpy (tmpstr, template, prefix); ++ tmpstr[prefix] = '\0'; ++ } + strcat (tmpstr + prefix, formatspec->ext); + prefix += strlen(formatspec->ext); + strcat (tmpstr + prefix, cptr + 2); |