[MPlayer-dev-eng] [PATCH] mga_vid possible buffer overflow (and kernel oops?) fix

Diego Biurrun diego at biurrun.de
Sun Feb 9 14:33:40 CET 2003 

What about this patch?  accepted/rejected, pre0.90/post0.90?

Alex Beregszaszi wrote:
> here's a possible fix for some string handling bugs (overwrites),
> found the problem report in a year old mail from Koth ;)
> 
> Patch attached. (Becouse i do not use the mga_vid)
> 
> Index: mga_vid.c
> ===================================================================
> RCS file: /cvsroot/mplayer/main/drivers/mga_vid.c,v
> retrieving revision 1.48
> diff -u -r1.48 mga_vid.c
> --- mga_vid.c	25 Jul 2002 21:34:24 -0000	1.48
> +++ mga_vid.c	3 Feb 2003 17:59:21 -0000
> @@ -1416,14 +1416,14 @@
>  {
>      unsigned len;
>      len = 0;
> -    len += sprintf(&mga_param_buff[len],"Interface version: %04X\n",MGA_VID_VERSION);
> -    len += sprintf(&mga_param_buff[len],"Memory: %x:%dM\n",mga_mem_base,(unsigned int) mga_ram_size);
> -    len += sprintf(&mga_param_buff[len],"MMIO: %p\n",mga_mmio_base);
> -    len += sprintf(&mga_param_buff[len],"Configurable stuff:\n");
> -    len += sprintf(&mga_param_buff[len],"~~~~~~~~~~~~~~~~~~~\n");
> -    len += sprintf(&mga_param_buff[len],PARAM_BRIGHTNESS"%d\n",mga_brightness);
> -    len += sprintf(&mga_param_buff[len],PARAM_CONTRAST"%d\n",mga_contrast);
> -    len += sprintf(&mga_param_buff[len],PARAM_BLACKIE"%s\n",regs.blackie?"on":"off");
> +    len += snprintf(&mga_param_buff[len],PARAM_BUFF_SIZE-len,"Interface version: %04X\n",MGA_VID_VERSION);
> +    len += snprintf(&mga_param_buff[len],PARAM_BUFF_SIZE-len,"Memory: %x:%dM\n",mga_mem_base,(unsigned int) mga_ram_size);
> +    len += snprintf(&mga_param_buff[len],PARAM_BUFF_SIZE-len,"MMIO: %p\n",mga_mmio_base);
> +    len += snprintf(&mga_param_buff[len],PARAM_BUFF_SIZE-len,"Configurable stuff:\n");
> +    len += snprintf(&mga_param_buff[len],PARAM_BUFF_SIZE-len,"~~~~~~~~~~~~~~~~~~~\n");
> +    len += snprintf(&mga_param_buff[len],PARAM_BUFF_SIZE-len,PARAM_BRIGHTNESS"%d\n",mga_brightness);
> +    len += snprintf(&mga_param_buff[len],PARAM_BUFF_SIZE-len,PARAM_CONTRAST"%d\n",mga_contrast);
> +    len += snprintf(&mga_param_buff[len],PARAM_BUFF_SIZE-len,PARAM_BLACKIE"%s\n",regs.blackie?"on":"off");
>      mga_param_buff_len = len;
>      // check boundaries of mga_param_buff before writing to it!!!
>  }

More information about the MPlayer-dev-eng mailing list