This fixes some buffer overflow, that are not severe, unless koules.svga is installed setuid root. Not by default. The first hunk is from Debian. Lubomir Rintel <lkundrak@v3.sk> --- koules-1.4.orig/koules.sndsrv.linux.c +++ koules-1.4/koules.sndsrv.linux.c @@ -65,10 +65,9 @@ for (i = 0; i < NUM_SOUNDS; i++) { s[0] = 0; - strcat (s, argv[1]); - if (s[(int) strlen (s) - 1] == '/') + if (argv[1][(int) strlen (argv[1]) - 1] == '/') FILENAME[i]++; - strcat (s, FILENAME[i]); + snprintf(s, sizeof(s), "%s%s", argv[1], FILENAME[i]); FILENAME[i] = malloc ((int) strlen (s) + 1); strcpy (FILENAME[i], s); sound_buffer[i] = NULL; diff -u koules1.4.orig/nas_sound.c koules1.4/nas_sound.c --- koules1.4.orig/nas_sound.c 2007-10-28 03:29:35.000000000 +0100 +++ koules1.4/nas_sound.c 2007-10-28 03:31:16.000000000 +0100 @@ -175,9 +175,10 @@ /* Use the environment variable if it exists */ if ((str = getenv ("XGAL_SOUND_DIR")) != NULL) - sprintf (fbuf, "%s/%s", str, filename); + snprintf (fbuf, sizeof (fbuf), "%s/%s", str, filename); else - sprintf (fbuf, "%s/%s", unixSoundPath, filename); + snprintf (fbuf, sizeof (fbuf), "%s/%s", unixSoundPath, filename); + fbuf[sizeof (fbuf) -1] = '\0'; sound_table[num_sounds].filename = strdup (fbuf); num_sounds++; diff -u koules1.4.orig/soundos2.c koules1.4/soundos2.c --- koules1.4.orig/soundos2.c 2007-10-28 03:29:35.000000000 +0100 +++ koules1.4/soundos2.c 2007-10-28 03:32:32.000000000 +0100 @@ -627,7 +627,8 @@ printf ("Opening no.%d %s\n", k, FILENAME[k]); #endif /* */ - sprintf (filename, "sounds/%s", FILENAME[k]); + snprintf (filename, sizeof (filename), "sounds/%s", FILENAME[k]); + filename [sizeof (filename)-1] = '\0'; fd = open (filename, O_RDONLY); --- koules1.4/rcfiles.c.overflows 2007-10-28 04:58:04.000000000 +0100 +++ koules1.4/rcfiles.c 2007-10-28 05:01:26.000000000 +0100 @@ -59,11 +59,17 @@ save_rc () if (client || server) return; #endif + fullname[sizeof (fullname)-1] = '\0'; #ifdef OS2DIVE - sprintf (fullname, "%s", name); + snprintf (fullname, sizeof (fullname), "%s", name); #else - sprintf (fullname, "%s/%s", mygetenv ("HOME"), name); + snprintf (fullname, sizeof (fullname), "%s/%s", mygetenv ("HOME"), name); #endif + if (fullname[sizeof (fullname)-1] != '\0') + { + printf ("Home directory file name too long, saving of controls skipped."); + return; + } if ((controls = fopen (fullname, "w")) == NULL) { printf ("could not open save file:%s\n" @@ -89,11 +95,17 @@ save_rc () fwrite (zeros, 2, sizeof (float), controls); #endif fclose (controls); + fullname[sizeof (fullname)-1] = '\0'; #ifdef OS2DIVE - sprintf (fullname, "%s", levelsname); + snprintf (fullname, sizeof (fullname), "%s", levelsname); #else - sprintf (fullname, "%s/%s", mygetenv ("HOME"), levelsname); + snprintf (fullname, sizeof (fullname), "%s/%s", mygetenv ("HOME"), levelsname); #endif + if (fullname[sizeof (fullname)-1] != '\0') + { + printf ("Home directory file name too long, saving of controls skipped."); + return; + } if ((levels = fopen (fullname, "w")) == NULL) { printf ("could not open save file:%s\n" @@ -120,11 +132,17 @@ load_rc () if (client || server) return; #endif + fullname[sizeof (fullname)-1] = '\0'; #ifdef OS2DIVE - sprintf (fullname, "%s", name); + snprintf (fullname, sizeof (fullname), "%s", name); #else - sprintf (fullname, "%s/%s", mygetenv ("HOME"), name); + snprintf (fullname, sizeof (fullname), "%s/%s", mygetenv ("HOME"), name); #endif + if (fullname[sizeof (fullname)-1] != '\0') + { + printf ("Home directory file name too long, using default controls."); + return; + } if ((controls = fopen (fullname, "r")) == NULL) { printf ("could not open save file:%s\n" @@ -151,11 +169,17 @@ load_rc () #endif fclose (controls); skip:; + fullname[sizeof (fullname)-1] = '\0'; #ifdef OS2DIVE - sprintf (fullname, "%s", levelsname); + snprintf (fullname, sizeof (fullname), "%s", levelsname); #else - sprintf (fullname, "%s/%s", mygetenv ("HOME"), levelsname); + snprintf (fullname, sizeof (fullname), "%s/%s", mygetenv ("HOME"), levelsname); #endif + if (fullname[sizeof (fullname)-1] != '\0') + { + printf ("Home directory file name too long, using default controls."); + return; + } if ((levels = fopen (fullname, "r")) == NULL) { printf ("could not open save file:%s\n"