On Wed, Apr 16, 2008 at 10:21:13PM +0200, Nico Golde wrote: > Hi, > * [EMAIL PROTECTED] [2008-04-16 22:05]: > > Thanks for the help. I have made a patch that would fix the possible > > buffer overflows. Please check the attached patch. > [...] > > if(path[0]!='/') > > - sprintf(tmp,"%s/translations/%s",DATAPATH,path); > > + snprintf(tmp,302,"%s/translations/%s",DATAPATH,path); > > off-by two. Why don't you just use sizeof(tmp)?
And why use sizeof(tmp) with the possibility of truncating the resulting string while we can properly malloc() enough size to hold the whole path ? -- GPG-Key: 0xA3FD0DF7 - 9F73 032E EAC9 F7AD 951F 280E CB66 8E29 A3FD 0DF7 Debian User and Developer. Homepage: www.foolab.org
signature.asc
Description: Digital signature