Hi Mohammed, * Mohammed Sameer <[EMAIL PROTECTED]> [2008-04-17 15:53]: > On Wed, Apr 16, 2008 at 10:21:13PM +0200, Nico Golde wrote: > > * [EMAIL PROTECTED] [2008-04-16 22:05]: > > > Thanks for the help. I have made a patch that would fix the possible > > > buffer overflows. Please check the attached patch. > > [...] > > > if(path[0]!='/') > > > - sprintf(tmp,"%s/translations/%s",DATAPATH,path); > > > + snprintf(tmp,302,"%s/translations/%s",DATAPATH,path); > > > > off-by two. Why don't you just use sizeof(tmp)? > > And why use sizeof(tmp) with the possibility of truncating the resulting > string while we can > properly malloc() enough size to hold the whole path ?
Cause you have a maximum length for these values specified by the shell and malloc(foo + somelength) operations often lead to integer overflows (well not in this case). Anyway, the 302 was fine since it was tmp from a different source file where it is specified to have 302 bytes. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgp9S3ZqiMdoV.pgp
Description: PGP signature
