Sophie

Sophie

distrib > Fedora > 14 > x86_64 > by-pkgid > 43be97ffa58d59d2c80c39f6a6f1c65e > files > 10

koules-1.4-9.fc14.src.rpm

This fixes some buffer overflow, that are not severe, unless koules.svga
is installed setuid root. Not by default. The first hunk is from Debian.

Lubomir Rintel <lkundrak@v3.sk>

--- koules-1.4.orig/koules.sndsrv.linux.c
+++ koules-1.4/koules.sndsrv.linux.c
@@ -65,10 +65,9 @@
   for (i = 0; i < NUM_SOUNDS; i++)
     {
       s[0] = 0;
-      strcat (s, argv[1]);
-      if (s[(int) strlen (s) - 1] == '/')
+      if (argv[1][(int) strlen (argv[1]) - 1] == '/')
 	FILENAME[i]++;
-      strcat (s, FILENAME[i]);
+      snprintf(s, sizeof(s), "%s%s", argv[1], FILENAME[i]);
       FILENAME[i] = malloc ((int) strlen (s) + 1);
       strcpy (FILENAME[i], s);
       sound_buffer[i] = NULL;
diff -u koules1.4.orig/nas_sound.c koules1.4/nas_sound.c
--- koules1.4.orig/nas_sound.c	2007-10-28 03:29:35.000000000 +0100
+++ koules1.4/nas_sound.c	2007-10-28 03:31:16.000000000 +0100
@@ -175,9 +175,10 @@
 
       /* Use the environment variable if it exists */
       if ((str = getenv ("XGAL_SOUND_DIR")) != NULL)
-	sprintf (fbuf, "%s/%s", str, filename);
+	snprintf (fbuf, sizeof (fbuf), "%s/%s", str, filename);
       else
-	sprintf (fbuf, "%s/%s", unixSoundPath, filename);
+	snprintf (fbuf, sizeof (fbuf), "%s/%s", unixSoundPath, filename);
+	fbuf[sizeof (fbuf) -1] = '\0';
 
       sound_table[num_sounds].filename = strdup (fbuf);
       num_sounds++;
diff -u koules1.4.orig/soundos2.c koules1.4/soundos2.c
--- koules1.4.orig/soundos2.c	2007-10-28 03:29:35.000000000 +0100
+++ koules1.4/soundos2.c	2007-10-28 03:32:32.000000000 +0100
@@ -627,7 +627,8 @@
     printf ("Opening no.%d %s\n", k, FILENAME[k]);
   
 #endif /* 
 */
-    sprintf (filename, "sounds/%s", FILENAME[k]);
+    snprintf (filename, sizeof (filename), "sounds/%s", FILENAME[k]);
+    filename [sizeof (filename)-1] = '\0';
   
     fd = open (filename, O_RDONLY);
   
--- koules1.4/rcfiles.c.overflows	2007-10-28 04:58:04.000000000 +0100
+++ koules1.4/rcfiles.c	2007-10-28 05:01:26.000000000 +0100
@@ -59,11 +59,17 @@ save_rc ()
   if (client || server)
     return;
 #endif
+  fullname[sizeof (fullname)-1] = '\0';
 #ifdef OS2DIVE
-  sprintf (fullname, "%s", name);
+  snprintf (fullname, sizeof (fullname),  "%s", name);
 #else
-  sprintf (fullname, "%s/%s", mygetenv ("HOME"), name);
+  snprintf (fullname, sizeof (fullname), "%s/%s", mygetenv ("HOME"), name);
 #endif
+  if (fullname[sizeof (fullname)-1] != '\0')
+    {
+      printf ("Home directory file name too long, saving of controls skipped.");
+      return;
+    }
   if ((controls = fopen (fullname, "w")) == NULL)
     {
       printf ("could not open save file:%s\n"
@@ -89,11 +95,17 @@ save_rc ()
   fwrite (zeros, 2, sizeof (float), controls);
 #endif
   fclose (controls);
+  fullname[sizeof (fullname)-1] = '\0';
 #ifdef OS2DIVE
-  sprintf (fullname, "%s", levelsname);
+  snprintf (fullname, sizeof (fullname), "%s", levelsname);
 #else
-  sprintf (fullname, "%s/%s", mygetenv ("HOME"), levelsname);
+  snprintf (fullname, sizeof (fullname), "%s/%s", mygetenv ("HOME"), levelsname);
 #endif
+  if (fullname[sizeof (fullname)-1] != '\0')
+    {
+      printf ("Home directory file name too long, saving of controls skipped.");
+      return;
+    }
   if ((levels = fopen (fullname, "w")) == NULL)
     {
       printf ("could not open save file:%s\n"
@@ -120,11 +132,17 @@ load_rc ()
   if (client || server)
     return;
 #endif
+  fullname[sizeof (fullname)-1] = '\0';
 #ifdef OS2DIVE
-  sprintf (fullname, "%s", name);
+  snprintf (fullname, sizeof (fullname), "%s", name);
 #else
-  sprintf (fullname, "%s/%s", mygetenv ("HOME"), name);
+  snprintf (fullname, sizeof (fullname), "%s/%s", mygetenv ("HOME"), name);
 #endif
+  if (fullname[sizeof (fullname)-1] != '\0')
+    {
+      printf ("Home directory file name too long, using default controls.");
+      return;
+    }
   if ((controls = fopen (fullname, "r")) == NULL)
     {
       printf ("could not open save file:%s\n"
@@ -151,11 +169,17 @@ load_rc ()
 #endif
   fclose (controls);
 skip:;
+  fullname[sizeof (fullname)-1] = '\0';
 #ifdef OS2DIVE
-  sprintf (fullname, "%s", levelsname);
+  snprintf (fullname, sizeof (fullname), "%s", levelsname);
 #else
-  sprintf (fullname, "%s/%s", mygetenv ("HOME"), levelsname);
+  snprintf (fullname, sizeof (fullname), "%s/%s", mygetenv ("HOME"), levelsname);
 #endif
+  if (fullname[sizeof (fullname)-1] != '\0')
+    {
+      printf ("Home directory file name too long, using default controls.");
+      return;
+    }
   if ((levels = fopen (fullname, "r")) == NULL)
     {
       printf ("could not open save file:%s\n"

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional