[libdvdcss-devel] [PATCH] Squelch potential buffer overflow warning

astian astian at elude.in
Sun Mar 25 00:17:00 CET 2018


GCC 7.3 points out that a buffer of size PATH_MAX is being written to
with data that can theoretically overflow (a string of maximum size
PATH_MAX plus other constant-size strings).  Fix this by replacing
sprintf with snprintf.

Signed-off-by: astian <astian at elude.in>
---

Please note that I just copied the error-out code from the other error
case just above in the same function.  I didn't really try to understand
it.  Please review.

Note also that there are still several other uses of sprintf, and of
snprintf where the return value is ignored.  I made no attempt to
validate and/or fix those.  TODO?

The warning was:

  src/libdvdcss.c: In function ‘init_cache_dir’:
  src/libdvdcss.c:323:27: warning: ‘/CACHEDIR.TAG’ directive writing 13
  bytes into a region of size between 1 and 4096 [-Wformat-overflow=]
       sprintf( psz_tagfile, "%s/" CACHE_TAG_NAME, dvdcss->psz_cachefile );
                             ^~~~~
  src/libdvdcss.c:323:30: note: format string is defined here
       sprintf( psz_tagfile, "%s/" CACHE_TAG_NAME, dvdcss->psz_cachefile );
                                ^
  src/libdvdcss.c:323:5: note: ‘sprintf’ output between 14 and 4109
  bytes into a destination of size 4096
       sprintf( psz_tagfile, "%s/" CACHE_TAG_NAME, dvdcss->psz_cachefile );
       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Cheers.
---

 src/libdvdcss.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/libdvdcss.c b/src/libdvdcss.c
index 8f4c421..cf49ece 100644
--- a/src/libdvdcss.c
+++ b/src/libdvdcss.c
@@ -320,7 +320,19 @@ static int init_cache_dir( dvdcss_t dvdcss )
         return -1;
     }
 
-    sprintf( psz_tagfile, "%s/" CACHE_TAG_NAME, dvdcss->psz_cachefile );
+    i_ret = snprintf( psz_tagfile, sizeof(psz_tagfile), "%s/" CACHE_TAG_NAME,
+                      dvdcss->psz_cachefile );
+    if ( i_ret < 0 || i_ret >= (int)sizeof(psz_tagfile))
+    {
+        if ( i_ret < 0)
+            print_error( dvdcss, "failed to compose cache directory tag path");
+        else
+            print_error( dvdcss, "cache directory tag path too long: %s/" CACHE_TAG_NAME,
+                         dvdcss->psz_cachefile );
+        dvdcss->psz_cachefile[0] = '\0';
+        return -1;
+    }
+
     i_fd = open( psz_tagfile, O_RDWR|O_CREAT, 0644 );
     if( i_fd >= 0 )
     {
-- 
2.16.2


More information about the libdvdcss-devel mailing list