From 664211684aa33f52f4ebd635ad1e3a2e380f6248 Mon Sep 17 00:00:00 2001
From: "Kenneth D. Merry" <ken@FreeBSD.org>
Date: Wed, 7 Feb 2001 20:19:53 +0000
Subject: Fix a core dump when doing 'tosha -i'.  (Maintainer timeout after
 about two months.)

The problem is in resolve_extension().  strncpy() will only null-terminate
the destination string if it has enough room, according to the given
length.

In this implementation, there will never be enough room to null-terminate
the string, from what I can tell.  So if the memory in 'tmpstr' contains
non-nulls, you'll get a core-dump in the subsequent strcat().
---
 audio/tosha/files/patch-aa | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 audio/tosha/files/patch-aa

(limited to 'audio/tosha')

diff --git a/audio/tosha/files/patch-aa b/audio/tosha/files/patch-aa
new file mode 100644
index 000000000000..6b13be7d9e5d
--- /dev/null
+++ b/audio/tosha/files/patch-aa
@@ -0,0 +1,23 @@
+*** tosha.c.orig	Fri Jan  1 16:57:49 1999
+--- tosha.c	Sun Dec 10 01:04:54 2000
+***************
+*** 240,247 ****
+  		return template;
+  	if (!(tmpstr = malloc(strlen(template) + strlen(formatspec->ext) - 1)))
+  		out_of_memory();
+! 	if ((prefix = cptr - template))
+  		strncpy (tmpstr, template, prefix);
+  	strcat (tmpstr + prefix, formatspec->ext);
+  	prefix += strlen(formatspec->ext);
+  	strcat (tmpstr + prefix, cptr + 2);
+--- 240,249 ----
+  		return template;
+  	if (!(tmpstr = malloc(strlen(template) + strlen(formatspec->ext) - 1)))
+  		out_of_memory();
+! 	if ((prefix = cptr - template)) {
+  		strncpy (tmpstr, template, prefix);
++ 		tmpstr[prefix] = '\0';
++ 	}
+  	strcat (tmpstr + prefix, formatspec->ext);
+  	prefix += strlen(formatspec->ext);
+  	strcat (tmpstr + prefix, cptr + 2);
-- 
cgit v1.2.3