On Thu, Apr 17, 2008 at 04:02:25PM +0200, Nico Golde wrote: > Hi Mohammed, > * Mohammed Sameer <[EMAIL PROTECTED]> [2008-04-17 15:53]: > > On Wed, Apr 16, 2008 at 10:21:13PM +0200, Nico Golde wrote: > > > * [EMAIL PROTECTED] [2008-04-16 22:05]: > > > > Thanks for the help. I have made a patch that would fix the possible > > > > buffer overflows. Please check the attached patch. > > > [...] > > > > if(path[0]!='/') > > > > - sprintf(tmp,"%s/translations/%s",DATAPATH,path); > > > > + snprintf(tmp,302,"%s/translations/%s",DATAPATH,path); > > > > > > off-by two. Why don't you just use sizeof(tmp)? > > > > And why use sizeof(tmp) with the possibility of truncating the resulting > > string while we can > > properly malloc() enough size to hold the whole path ? > > Cause you have a maximum length for these values specified > by the shell and malloc(foo + somelength) operations often > lead to integer overflows (well not in this case). > > Anyway, the 302 was fine since it was tmp from a different > source file where it is specified to have 302 bytes.
A maximum length for $HOME ? Never heard of that. If you malloc(strlen(DATAPATH) + 1); then you won't overflow. Cheers, -- GPG-Key: 0xA3FD0DF7 - 9F73 032E EAC9 F7AD 951F 280E CB66 8E29 A3FD 0DF7 Debian User and Developer. Homepage: www.foolab.org
signature.asc
Description: Digital signature
