Hi Mohammed, * Mohammed Sameer <[EMAIL PROTECTED]> [2008-04-17 22:36]: > On Thu, Apr 17, 2008 at 04:02:25PM +0200, Nico Golde wrote: > > Hi Mohammed, > > * Mohammed Sameer <[EMAIL PROTECTED]> [2008-04-17 15:53]: > > > On Wed, Apr 16, 2008 at 10:21:13PM +0200, Nico Golde wrote: > > > > * [EMAIL PROTECTED] [2008-04-16 22:05]: > > > > > Thanks for the help. I have made a patch that would fix the > > > > > possible > > > > > buffer overflows. Please check the attached patch. > > > > [...] > > > > > if(path[0]!='/') > > > > > - sprintf(tmp,"%s/translations/%s",DATAPATH,path); > > > > > + snprintf(tmp,302,"%s/translations/%s",DATAPATH,path); > > > > > > > > off-by two. Why don't you just use sizeof(tmp)? > > > > > > And why use sizeof(tmp) with the possibility of truncating the resulting > > > string while we can > > > properly malloc() enough size to hold the whole path ? > > > > Cause you have a maximum length for these values specified > > by the shell and malloc(foo + somelength) operations often > > lead to integer overflows (well not in this case). > > > > Anyway, the 302 was fine since it was tmp from a different > > source file where it is specified to have 302 bytes. > > > A maximum length for $HOME ? Never heard of that. > If you malloc(strlen(DATAPATH) + 1); then you won't overflow.
_POSIX_PATH_MAX should fit. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpg9UoViB8nG.pgp
Description: PGP signature
