astian
2018-03-24 23:17:00 UTC
GCC 7.3 points out that a buffer of size PATH_MAX is being written to
with data that can theoretically overflow (a string of maximum size
PATH_MAX plus other constant-size strings). Fix this by replacing
sprintf with snprintf.
Signed-off-by: astian <***@elude.in>
---
Please note that I just copied the error-out code from the other error
case just above in the same function. I didn't really try to understand
it. Please review.
Note also that there are still several other uses of sprintf, and of
snprintf where the return value is ignored. I made no attempt to
validate and/or fix those. TODO?
The warning was:
src/libdvdcss.c: In function ‘init_cache_dir’:
src/libdvdcss.c:323:27: warning: ‘/CACHEDIR.TAG’ directive writing 13
bytes into a region of size between 1 and 4096 [-Wformat-overflow=]
sprintf( psz_tagfile, "%s/" CACHE_TAG_NAME, dvdcss->psz_cachefile );
^~~~~
src/libdvdcss.c:323:30: note: format string is defined here
sprintf( psz_tagfile, "%s/" CACHE_TAG_NAME, dvdcss->psz_cachefile );
^
src/libdvdcss.c:323:5: note: ‘sprintf’ output between 14 and 4109
bytes into a destination of size 4096
sprintf( psz_tagfile, "%s/" CACHE_TAG_NAME, dvdcss->psz_cachefile );
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cheers.
---
src/libdvdcss.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/libdvdcss.c b/src/libdvdcss.c
index 8f4c421..cf49ece 100644
--- a/src/libdvdcss.c
+++ b/src/libdvdcss.c
@@ -320,7 +320,19 @@ static int init_cache_dir( dvdcss_t dvdcss )
return -1;
}
- sprintf( psz_tagfile, "%s/" CACHE_TAG_NAME, dvdcss->psz_cachefile );
+ i_ret = snprintf( psz_tagfile, sizeof(psz_tagfile), "%s/" CACHE_TAG_NAME,
+ dvdcss->psz_cachefile );
+ if ( i_ret < 0 || i_ret >= (int)sizeof(psz_tagfile))
+ {
+ if ( i_ret < 0)
+ print_error( dvdcss, "failed to compose cache directory tag path");
+ else
+ print_error( dvdcss, "cache directory tag path too long: %s/" CACHE_TAG_NAME,
+ dvdcss->psz_cachefile );
+ dvdcss->psz_cachefile[0] = '\0';
+ return -1;
+ }
+
i_fd = open( psz_tagfile, O_RDWR|O_CREAT, 0644 );
if( i_fd >= 0 )
{
with data that can theoretically overflow (a string of maximum size
PATH_MAX plus other constant-size strings). Fix this by replacing
sprintf with snprintf.
Signed-off-by: astian <***@elude.in>
---
Please note that I just copied the error-out code from the other error
case just above in the same function. I didn't really try to understand
it. Please review.
Note also that there are still several other uses of sprintf, and of
snprintf where the return value is ignored. I made no attempt to
validate and/or fix those. TODO?
The warning was:
src/libdvdcss.c: In function ‘init_cache_dir’:
src/libdvdcss.c:323:27: warning: ‘/CACHEDIR.TAG’ directive writing 13
bytes into a region of size between 1 and 4096 [-Wformat-overflow=]
sprintf( psz_tagfile, "%s/" CACHE_TAG_NAME, dvdcss->psz_cachefile );
^~~~~
src/libdvdcss.c:323:30: note: format string is defined here
sprintf( psz_tagfile, "%s/" CACHE_TAG_NAME, dvdcss->psz_cachefile );
^
src/libdvdcss.c:323:5: note: ‘sprintf’ output between 14 and 4109
bytes into a destination of size 4096
sprintf( psz_tagfile, "%s/" CACHE_TAG_NAME, dvdcss->psz_cachefile );
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cheers.
---
src/libdvdcss.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/libdvdcss.c b/src/libdvdcss.c
index 8f4c421..cf49ece 100644
--- a/src/libdvdcss.c
+++ b/src/libdvdcss.c
@@ -320,7 +320,19 @@ static int init_cache_dir( dvdcss_t dvdcss )
return -1;
}
- sprintf( psz_tagfile, "%s/" CACHE_TAG_NAME, dvdcss->psz_cachefile );
+ i_ret = snprintf( psz_tagfile, sizeof(psz_tagfile), "%s/" CACHE_TAG_NAME,
+ dvdcss->psz_cachefile );
+ if ( i_ret < 0 || i_ret >= (int)sizeof(psz_tagfile))
+ {
+ if ( i_ret < 0)
+ print_error( dvdcss, "failed to compose cache directory tag path");
+ else
+ print_error( dvdcss, "cache directory tag path too long: %s/" CACHE_TAG_NAME,
+ dvdcss->psz_cachefile );
+ dvdcss->psz_cachefile[0] = '\0';
+ return -1;
+ }
+
i_fd = open( psz_tagfile, O_RDWR|O_CREAT, 0644 );
if( i_fd >= 0 )
{
--
2.16.2
2.16.2