Re: [AD] strcat strcpy etc.. BUG found!

[ Thread Index | Date Index | More lists.liballeg.org/allegro-developers Archives ]

To: conductors@xxxxxxxxxx
Subject: Re: [AD] strcat strcpy etc.. BUG found!
From: Eric Botcazou <ebotcazou@xxxxxxxxxx>
Date: Wed, 11 Dec 2002 11:13:17 +0100

> i have noticed the src of allegro has a few strcat()  and  strcpy()
> shouldnt they be replaced  with  strNcat()  and/or  strNcpy()  ?

Well, both strncat() and strncpy() are not very nice either, the first one 
because it can write more characters than prescribed and the second one 
because it doesn't always write the terminating null character.

> such as in  /allegro417/src/win/wddbmp.c
> around lines 128-132:
>
>
> case DDERR_PRIMARYSURFACEALREADYEXISTS:
>           strcpy(err_str, "DDERR_PRIMARYSURFACEALREADYEXISTS");
>           break;
>
> this is a buffer overflow !

Doh! Darn longish Microsoft constants :-(
Now fixed in the CVS tree.

> and another suspicious one...
>
> /allegro417/src/dos/sndscape.c (lines 378):
>
>
> static int get_ini_config_entry(char *entry, char *dest, FILE *fp)
> {
>     char str[83];
>     char tokstr[33];
>     char *p;
>
>     /* make a local copy of the entry, upper-case it */
>     strcpy(tokstr, entry);
>
> ****** this strcpy looks like it could overflow **********

Of course theoretically, but get_ini_config_entry() is only called on 
"Product", "Port", "Waveport", "IRQ", "SBIRQ" and "DMA" so...

-- 
Eric Botcazou

Follow-Ups:
- Re: [AD] strcat strcpy etc.. BUG found!
  - From: Robert Ohannessian
- Re: [AD] strcat strcpy etc.. BUG found!
  - From: Lo'oRiS il Kabukimono

References:
- [AD] strcat strcpy etc.. BUG found!
  - From: aj

Messages sorted by: [ date | thread ]
Prev by Date: [AD] strcat strcpy etc.. BUG found!
Next by Date: Re: [AD] (v)sprintf vs (v)sNprintf
Previous by thread: [AD] strcat strcpy etc.. BUG found!
Next by thread: Re: [AD] strcat strcpy etc.. BUG found!

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/