[MPlayer-cvslog] r35488 - trunk/stream/stream_ftp.c

al subversion at mplayerhq.hu
Tue Nov 27 00:36:00 CET 2012 

Author: al
Date: Tue Nov 27 00:36:00 2012
New Revision: 35488

Log:
stream ftp: Pass full buffer size to snprintf

Previously the buffer size was always passed as one less than
the underlying buffer's size. This is not using the underlying
buffer to its full potential according to the C99 standard. The
last byte of the buffers were never used.

No vulnerabilities should have been caused by this mistake because
the strings stored in the buffers were zero terminated at all
times. Neither were out-of-array writes nor reads possible.

Modified:
   trunk/stream/stream_ftp.c

Modified: trunk/stream/stream_ftp.c
==============================================================================
--- trunk/stream/stream_ftp.c	Mon Nov 26 20:50:32 2012	(r35487)
+++ trunk/stream/stream_ftp.c	Tue Nov 27 00:36:00 2012	(r35488)
@@ -281,7 +281,7 @@ static int FtpOpenPort(struct stream_pri
 
   sscanf(par+1,"%u,%u,%u,%u,%u,%u",&num[0],&num[1],&num[2],
 	 &num[3],&num[4],&num[5]);
-  snprintf(str,127,"%d.%d.%d.%d",num[0],num[1],num[2],num[3]);
+  snprintf(str,sizeof(str),"%d.%d.%d.%d",num[0],num[1],num[2],num[3]);
   fd = connect2Server(str,(num[4]<<8)+num[5],0);
 
   if(fd < 0)
@@ -301,7 +301,7 @@ static int FtpOpenData(stream_t* s,off_t
   if(s->fd < 0) return 0;
 
   if(newpos > 0) {
-    snprintf(p->cmd_buf,CMD_BUFSIZE - 1,"REST %"PRId64, (int64_t)newpos);
+    snprintf(p->cmd_buf,CMD_BUFSIZE,"REST %"PRId64, (int64_t)newpos);
 
     resp = FtpSendCmd(p->cmd_buf,p,rsp_txt);
     if(resp != 3) {
@@ -311,7 +311,7 @@ static int FtpOpenData(stream_t* s,off_t
   }
 
   // Get the file
-  snprintf(p->cmd_buf,CMD_BUFSIZE - 1,"RETR %s",p->filename);
+  snprintf(p->cmd_buf,CMD_BUFSIZE,"RETR %s",p->filename);
   resp = FtpSendCmd(p->cmd_buf,p,rsp_txt);
 
   if(resp != 1) {
@@ -464,12 +464,12 @@ static int open_f(stream_t *stream,int m
   }
 
   // Login
-  snprintf(p->cmd_buf,CMD_BUFSIZE - 1,"USER %s",p->user);
+  snprintf(p->cmd_buf,CMD_BUFSIZE,"USER %s",p->user);
   resp = FtpSendCmd(p->cmd_buf,p,rsp_txt);
 
   // password needed
   if(resp == 3) {
-    snprintf(p->cmd_buf,CMD_BUFSIZE - 1,"PASS %s",p->pass);
+    snprintf(p->cmd_buf,CMD_BUFSIZE,"PASS %s",p->pass);
     resp = FtpSendCmd(p->cmd_buf,p,rsp_txt);
     if(resp != 2) {
       mp_msg(MSGT_OPEN,MSGL_ERR, "[ftp] command '%s' failed: %s\n",p->cmd_buf,rsp_txt);
@@ -491,7 +491,7 @@ static int open_f(stream_t *stream,int m
   }
 
   // Get the filesize
-  snprintf(p->cmd_buf,CMD_BUFSIZE - 1,"SIZE %s",p->filename);
+  snprintf(p->cmd_buf,CMD_BUFSIZE,"SIZE %s",p->filename);
   resp = FtpSendCmd(p->cmd_buf,p,rsp_txt);
   if(resp != 2) {
     mp_msg(MSGT_OPEN,MSGL_WARN, "[ftp] command '%s' failed: %s\n",p->cmd_buf,rsp_txt);

More information about the MPlayer-cvslog mailing list