Fix a core dump when doing 'tosha -i'. (Maintainer timeout after about two
months.) The problem is in resolve_extension(). strncpy() will only null-terminate the destination string if it has enough room, according to the given length. In this implementation, there will never be enough room to null-terminate the string, from what I can tell. So if the memory in 'tmpstr' contains non-nulls, you'll get a core-dump in the subsequent strcat().
This commit is contained in:
Kenneth D. Merry
parent
5f46ac1988
commit
664211684a
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=38076
23
audio/tosha/files/patch-aa
Normal file
23
audio/tosha/files/patch-aa
Normal file
@ -0,0 +1,23 @@
|
||||
*** tosha.c.orig Fri Jan 1 16:57:49 1999
|
||||
--- tosha.c Sun Dec 10 01:04:54 2000
|
||||
***************
|
||||
*** 240,247 ****
|
||||
return template;
|
||||
if (!(tmpstr = malloc(strlen(template) + strlen(formatspec->ext) - 1)))
|
||||
out_of_memory();
|
||||
! if ((prefix = cptr - template))
|
||||
strncpy (tmpstr, template, prefix);
|
||||
strcat (tmpstr + prefix, formatspec->ext);
|
||||
prefix += strlen(formatspec->ext);
|
||||
strcat (tmpstr + prefix, cptr + 2);
|
||||
--- 240,249 ----
|
||||
return template;
|
||||
if (!(tmpstr = malloc(strlen(template) + strlen(formatspec->ext) - 1)))
|
||||
out_of_memory();
|
||||
! if ((prefix = cptr - template)) {
|
||||
strncpy (tmpstr, template, prefix);
|
||||
+ tmpstr[prefix] = '\0';
|
||||
+ }
|
||||
strcat (tmpstr + prefix, formatspec->ext);
|
||||
prefix += strlen(formatspec->ext);
|
||||
strcat (tmpstr + prefix, cptr + 2);
|
||||
Loading…
Reference in New Issue
Block a user