From 49f13e0e08beffc1d44ceb356d6e8c027119f41e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Duraffort?= Date: Sun, 28 Mar 2010 19:00:44 +0200 Subject: [PATCH] Growl: fix a second buffer overflow. --- modules/misc/notify/growl_udp.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/modules/misc/notify/growl_udp.c b/modules/misc/notify/growl_udp.c index dd434803c5..cb550455cf 100644 --- a/modules/misc/notify/growl_udp.c +++ b/modules/misc/notify/growl_udp.c @@ -225,6 +225,17 @@ static int NotifyToGrowl( vlc_object_t *p_this, const char *psz_desc ) if( psz_encoded == NULL ) return false; + // Check the size of the data + size_t i_type = strlen( psz_type ); + size_t i_title = strlen( psz_title ); + size_t i_app = strlen( APPLICATION_NAME ); + size_t i_desc = strlen( psz_desc ); + if( 12 + i_type + i_title + i_desc + i_app >= GROWL_MAX_LENGTH + 42 ) + { + free( psz_encoded ); + return false; + } + psz_encoded[i++] = GROWL_PROTOCOL_VERSION; psz_encoded[i++] = GROWL_TYPE_NOTIFICATION; flags = 0; @@ -234,14 +245,15 @@ static int NotifyToGrowl( vlc_object_t *p_this, const char *psz_desc ) insertstrlen(psz_title); insertstrlen(psz_desc); insertstrlen(APPLICATION_NAME); + strcpy( (char*)(psz_encoded+i), psz_type ); - i += strlen(psz_type); + i += i_type; strcpy( (char*)(psz_encoded+i), psz_title ); - i += strlen(psz_title); + i += i_title; strcpy( (char*)(psz_encoded+i), psz_desc ); - i += strlen(psz_desc); + i += i_desc; strcpy( (char*)(psz_encoded+i), APPLICATION_NAME ); - i += strlen(APPLICATION_NAME); + i += i_app; CheckAndSend(p_this, psz_encoded, i, GROWL_MAX_LENGTH + 42); free( psz_encoded ); -- GitLab