diff options
author | Kenneth D. Merry <ken@FreeBSD.org> | 2001-02-07 20:19:53 +0000 |
---|---|---|
committer | Kenneth D. Merry <ken@FreeBSD.org> | 2001-02-07 20:19:53 +0000 |
commit | 664211684aa33f52f4ebd635ad1e3a2e380f6248 (patch) | |
tree | 039474fd8ba43eeacaf39550f48ec45560627bbf /audio/tosha/files | |
parent | Add ruby-libglade, a wrapper library of libglade for Ruby. (diff) |
Fix a core dump when doing 'tosha -i'. (Maintainer timeout after about two
months.)
The problem is in resolve_extension(). strncpy() will only null-terminate
the destination string if it has enough room, according to the given
length.
In this implementation, there will never be enough room to null-terminate
the string, from what I can tell. So if the memory in 'tmpstr' contains
non-nulls, you'll get a core-dump in the subsequent strcat().
Diffstat (limited to 'audio/tosha/files')
-rw-r--r-- | audio/tosha/files/patch-aa | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/audio/tosha/files/patch-aa b/audio/tosha/files/patch-aa new file mode 100644 index 000000000000..6b13be7d9e5d --- /dev/null +++ b/audio/tosha/files/patch-aa @@ -0,0 +1,23 @@ +*** tosha.c.orig Fri Jan 1 16:57:49 1999 +--- tosha.c Sun Dec 10 01:04:54 2000 +*************** +*** 240,247 **** + return template; + if (!(tmpstr = malloc(strlen(template) + strlen(formatspec->ext) - 1))) + out_of_memory(); +! if ((prefix = cptr - template)) + strncpy (tmpstr, template, prefix); + strcat (tmpstr + prefix, formatspec->ext); + prefix += strlen(formatspec->ext); + strcat (tmpstr + prefix, cptr + 2); +--- 240,249 ---- + return template; + if (!(tmpstr = malloc(strlen(template) + strlen(formatspec->ext) - 1))) + out_of_memory(); +! if ((prefix = cptr - template)) { + strncpy (tmpstr, template, prefix); ++ tmpstr[prefix] = '\0'; ++ } + strcat (tmpstr + prefix, formatspec->ext); + prefix += strlen(formatspec->ext); + strcat (tmpstr + prefix, cptr + 2); |