summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Martitz <kugel@rockbox.org>2014-01-11 18:01:22 +0100
committerThomas Martitz <kugel@rockbox.org>2014-01-11 18:01:22 +0100
commitfe08ac4c2fc2c8c0177ddd6545e3c6a69d07b5db (patch)
treef271b59f38281216bde4ac2fc4fe449b8c2932bf
parent8c286b46869ea6e139efe44b3ee553bcc19219e9 (diff)
downloadrockbox-fe08ac4.tar.gz
rockbox-fe08ac4.tar.bz2
rockbox-fe08ac4.zip
cuesheet: Fix possible buffer overflow with long filenames.
Change-Id: I49fe6da35057895d3c5a08a8723afe41eef7afe8
-rw-r--r--apps/cuesheet.c18
1 files changed, 11 insertions, 7 deletions
diff --git a/apps/cuesheet.c b/apps/cuesheet.c
index b7b7df85a8..0ba71762a9 100644
--- a/apps/cuesheet.c
+++ b/apps/cuesheet.c
@@ -45,9 +45,9 @@
bool look_for_cuesheet_file(struct mp3entry *track_id3, struct cuesheet_file *cue_file)
{
/* DEBUGF("look for cue file\n"); */
-
+ size_t len;
char cuepath[MAX_PATH];
- char *dot, *slash;
+ char *dot, *slash, *slash_cuepath;
if (track_id3->has_embedded_cuesheet)
{
@@ -64,18 +64,22 @@ bool look_for_cuesheet_file(struct mp3entry *track_id3, struct cuesheet_file *cu
slash = strrchr(track_id3->path, '/');
if (!slash)
return false;
- strlcpy(cuepath, track_id3->path, MAX_PATH);
- dot = strrchr(cuepath, '.');
- strcpy(dot, ".cue");
+ len = strlcpy(cuepath, track_id3->path, MAX_PATH);
+ slash_cuepath = &cuepath[slash - track_id3->path];
+ dot = strrchr(slash_cuepath, '.');
+ if (dot)
+ strlcpy(dot, ".cue", MAX_PATH - (dot-cuepath));
- if (!file_exists(cuepath))
+ if (!dot || !file_exists(cuepath))
{
strcpy(cuepath, CUE_DIR);
- strcat(cuepath, slash);
+ strlcat(cuepath, slash, MAX_PATH);
char *dot = strrchr(cuepath, '.');
strcpy(dot, ".cue");
if (!file_exists(cuepath))
{
+ if ((len+4) >= MAX_PATH)
+ return false;
strlcpy(cuepath, track_id3->path, MAX_PATH);
strlcat(cuepath, ".cue", MAX_PATH);
if (!file_exists(cuepath))