mifr/subsurface
1
0
Fork 0
mirror of https://github.com/subsurface/subsurface.git synced 2025-02-19 22:16:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Try to capture some more potential buffer overflows caused by localization

Browse source 
A couple of these could clearly cause a crash just like the one fixed by
commit 00865f5a1e1a ("equipment.c: Fix potential buffer overflow in
size_data_funct()").

One would append user input to fixed length buffer without checking.

We were hardcoding the (correct) max path length in macos.c - replaced by
the actual OS constant.

But the vast majority are just extremely generous guesses how long
localized strings could possibly be.

Yes, this commit is likely leaning towards overkill. But we have now been
bitten by buffer overflow crashes twice that were caused by localization,
so I tried to go through all of the code and identify every possible
buffer that could be affected by this.

Signed-off-by: Dirk Hohndel <dirk@hohndel.org>
This commit is contained in:
Dirk Hohndel 2013-03-03 17:53:43 -08:00
parent 93eeb03d67
commit 0129192958
13 changed files with 31 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

8
print.c
View file

@ -69,7 +69,7 @@ static void show_dive_header(struct dive *dive, cairo_t *cr, double w,
PangoLayout *layout;
PangoRectangle ink_ext, logic_ext;
struct tm tm;
char buffer[160], divenr[40], *people;
char buffer[512], divenr[80], *people;
maxwidth = w * PANGO_SCALE;
maxheight = h * PANGO_SCALE * 0.9;
@ -355,7 +355,7 @@ static void print_weight_data (struct dive *dive, cairo_t *cr, int maxwidth, int
/* Print the dive OTUs */
static void print_otus (struct dive *dive, cairo_t *cr, PangoLayout *layout, int maxwidth)
{
char buffer[40];
char buffer[128];
cairo_move_to (cr,(maxwidth*0.05) / ((double) PANGO_SCALE), 0);
snprintf(buffer, sizeof(buffer), _("OTU"));
@ -370,7 +370,7 @@ static void print_otus (struct dive *dive, cairo_t *cr, PangoLayout *layout, int
/* Print the dive maxCNS */
static void print_cns (struct dive *dive, cairo_t *cr, PangoLayout *layout, int maxwidth)
{
char buffer[40];
char buffer[128];
cairo_move_to (cr,(maxwidth*0.05) / ((double) PANGO_SCALE), 0);
@ -389,7 +389,7 @@ static void print_SAC (struct dive *dive, cairo_t *cr, PangoLayout *layout, int
double sac;
int decimals;
const char *unit;
char buffer[40];
char buffer[128];
cairo_move_to (cr,(maxwidth*0.05) / ((double) PANGO_SCALE), 0);
snprintf(buffer, sizeof(buffer), _("SAC"));