Hi back Matthew, Cyril Brulebois <[EMAIL PROTECTED]> (26/11/2008): > (also applies to 1.8.9-1 from my reading the diff)
while I was browsing the code, I noticed the use of sprintf() in src/plugins/open/open.c; in that case, it could easily be replaced with snprintf(), using sizeof() for its second argument. After a quick grep, it looks to me that other occurrences might lead to buffer overflow, see buf2str() in lib/helper.c; len might go up to 1023, since the check is len belongs to [0,1024[, and after various sprintf() in the for() loop, we have str[len*2]='\0'. Which looks like an overflow to me since str is a static char str[1024]. I didn't check further occurrences, just felt like I'd notify you of those findinds. Cheers, -- Cyril Brulebois
signature.asc
Description: Digital signature
