[Mlt-devel] [PATCH 2/8] mlt_filter.c: fix possible buffer overflows

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Fixes Coverity CID 709411: Copy into fixed size buffer (STRING_OVERFLOW)
You might overrun the 20 byte fixed-size string "name" by copying "unique_id" without checking the length.
257        strcat( name, unique_id );

and

CID 709412: Copy into fixed size buffer (STRING_OVERFLOW)
You might overrun the 20 byte fixed-size string "name" by copying "unique_id" without checking the length.
302        strcat( name, unique_id );
---
 src/framework/mlt_filter.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/framework/mlt_filter.c b/src/framework/mlt_filter.c
index 4c85291..ed4d919 100644
--- a/src/framework/mlt_filter.c
+++ b/src/framework/mlt_filter.c
@@ -259,8 +259,8 @@ mlt_position mlt_filter_get_position( mlt_filter self, mlt_frame frame )
 	char name[20];
 
 	// Make the properties key from unique id
-	strcpy( name, "pos." );
-	strcat( name, unique_id );
+	snprintf( name, 20, "pos.%s", unique_id );
+	name[20 - 1] = '\0';
 
 	return mlt_properties_get_position( MLT_FRAME_PROPERTIES( frame ), name ) - in;
 }
@@ -304,8 +304,8 @@ mlt_frame mlt_filter_process( mlt_filter self, mlt_frame frame )
 	char name[20];
 
 	// Make the properties key from unique id
-	strcpy( name, "pos." );
-	strcat( name, unique_id );
+	snprintf( name, 20, "pos.%s", unique_id );
+	name[20 -1] = '\0';
 
 	// Save the position on the frame
 	mlt_properties_set_position( MLT_FRAME_PROPERTIES( frame ), name, position );
-- 
1.7.10.4



