[PATCH] bug fix for a buffer overflow in ivona

speechd-discuss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] bug fix for a buffer overflow in ivona_client.c

From:	Trevor Saunders
Subject:	[PATCH] bug fix for a buffer overflow in ivona_client.c
Date:	Thu, 2 Sep 2010 03:02:09 -0400

play_icon() sprintf'd into a fixed length buffer.  Fix this by using
strlen to find out how long a buffer we need then allocate it with
g_malloc().
---
 src/modules/ivona_client.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/modules/ivona_client.c b/src/modules/ivona_client.c
index ab7423c..ad0690d 100644
--- a/src/modules/ivona_client.c
+++ b/src/modules/ivona_client.c
@@ -339,9 +339,11 @@ ivona_play_file(char *filename)
 
 void play_icon(char *name)
 {
-       char buf[256];
-       sprintf(buf,"%s%s",IvonaSoundIconPath,name);
+       int len = strlen(IvonaSoundIconPath) + strlen(name) + 2;
+       char *buf = g_malloc(len);
+sprintf(buf, "%s/%s", IvonaSoundIconPath, name);
        ivona_play_file(buf);
+       g_free(buf);
 }
 
 #define IVONA_CACHE_SIZE 256
-- 
1.7.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] bug fix for a buffer overflow in ivona_client.c, Trevor Saunders <=
- [PATCH] bug fix for a buffer overflow in ivona_client.c, Christopher Brannon, 2010/09/02
  - [PATCH] bug fix for a buffer overflow in ivona_client.c, Trevor Saunders, 2010/09/02

Prev by Date: [PATCH] remove duplicate implementations of a function
Next by Date: [PATCH] Reopen libao device handles when audio parameters change.
Previous by thread: [PATCH] remove duplicate implementations of a function
Next by thread: [PATCH] bug fix for a buffer overflow in ivona_client.c
Index(es):
- Date
- Thread