diff options
| author | Thomas Martitz <kugel@rockbox.org> | 2014-01-11 18:01:22 +0100 |
|---|---|---|
| committer | Thomas Martitz <kugel@rockbox.org> | 2014-01-11 18:01:22 +0100 |
| commit | fe08ac4c2fc2c8c0177ddd6545e3c6a69d07b5db (patch) | |
| tree | f271b59f38281216bde4ac2fc4fe449b8c2932bf | |
| parent | 8c286b46869ea6e139efe44b3ee553bcc19219e9 (diff) | |
| download | rockbox-fe08ac4c2fc2c8c0177ddd6545e3c6a69d07b5db.tar.gz rockbox-fe08ac4c2fc2c8c0177ddd6545e3c6a69d07b5db.zip | |
cuesheet: Fix possible buffer overflow with long filenames.
Change-Id: I49fe6da35057895d3c5a08a8723afe41eef7afe8
| -rw-r--r-- | apps/cuesheet.c | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/apps/cuesheet.c b/apps/cuesheet.c index b7b7df85a8..0ba71762a9 100644 --- a/apps/cuesheet.c +++ b/apps/cuesheet.c | |||
| @@ -45,9 +45,9 @@ | |||
| 45 | bool look_for_cuesheet_file(struct mp3entry *track_id3, struct cuesheet_file *cue_file) | 45 | bool look_for_cuesheet_file(struct mp3entry *track_id3, struct cuesheet_file *cue_file) |
| 46 | { | 46 | { |
| 47 | /* DEBUGF("look for cue file\n"); */ | 47 | /* DEBUGF("look for cue file\n"); */ |
| 48 | 48 | size_t len; | |
| 49 | char cuepath[MAX_PATH]; | 49 | char cuepath[MAX_PATH]; |
| 50 | char *dot, *slash; | 50 | char *dot, *slash, *slash_cuepath; |
| 51 | 51 | ||
| 52 | if (track_id3->has_embedded_cuesheet) | 52 | if (track_id3->has_embedded_cuesheet) |
| 53 | { | 53 | { |
| @@ -64,18 +64,22 @@ bool look_for_cuesheet_file(struct mp3entry *track_id3, struct cuesheet_file *cu | |||
| 64 | slash = strrchr(track_id3->path, '/'); | 64 | slash = strrchr(track_id3->path, '/'); |
| 65 | if (!slash) | 65 | if (!slash) |
| 66 | return false; | 66 | return false; |
| 67 | strlcpy(cuepath, track_id3->path, MAX_PATH); | 67 | len = strlcpy(cuepath, track_id3->path, MAX_PATH); |
| 68 | dot = strrchr(cuepath, '.'); | 68 | slash_cuepath = &cuepath[slash - track_id3->path]; |
| 69 | strcpy(dot, ".cue"); | 69 | dot = strrchr(slash_cuepath, '.'); |
| 70 | if (dot) | ||
| 71 | strlcpy(dot, ".cue", MAX_PATH - (dot-cuepath)); | ||
| 70 | 72 | ||
| 71 | if (!file_exists(cuepath)) | 73 | if (!dot || !file_exists(cuepath)) |
| 72 | { | 74 | { |
| 73 | strcpy(cuepath, CUE_DIR); | 75 | strcpy(cuepath, CUE_DIR); |
| 74 | strcat(cuepath, slash); | 76 | strlcat(cuepath, slash, MAX_PATH); |
| 75 | char *dot = strrchr(cuepath, '.'); | 77 | char *dot = strrchr(cuepath, '.'); |
| 76 | strcpy(dot, ".cue"); | 78 | strcpy(dot, ".cue"); |
| 77 | if (!file_exists(cuepath)) | 79 | if (!file_exists(cuepath)) |
| 78 | { | 80 | { |
| 81 | if ((len+4) >= MAX_PATH) | ||
| 82 | return false; | ||
| 79 | strlcpy(cuepath, track_id3->path, MAX_PATH); | 83 | strlcpy(cuepath, track_id3->path, MAX_PATH); |
| 80 | strlcat(cuepath, ".cue", MAX_PATH); | 84 | strlcat(cuepath, ".cue", MAX_PATH); |
| 81 | if (!file_exists(cuepath)) | 85 | if (!file_exists(cuepath)) |