From: Luke S. <lsc...@gm...> - 2002-09-30 04:19:27
|
On Sun, Sep 29, 2002 at 04:38:54PM -0400, William T. Mahan wrote: > Hi, > > While working with the Oscar prpl I came across a few places that used > sprintf with a fixed-size buffer. I don't think this is a big deal > because the untrusted data usually passes through the BOS server, > which probably places restrictions on the lengths of screennames and > the like. > > However, it doesn't appear that Gaim checks the lengths of incoming > TLVs, and now that direct TCP connections to other clients are > supported, I think it's important to handle any outside data > carefully. The attached patch changes the sprintf()s to snprintf()s. > > Also, if this is not the best place for someone without CVS commit > access to send these sorts of small patches, just let me > know. sending patches here is fine, especially for bug fix patches. posting them to sourceforge though allows people to test patches that we might want to wait a while before committing, if, say, other things are happening to the body of code modified at the time. luke -- -This email is made of 100% recycled electrons. -If something can go wrong.... FIX IT! If it's Microsoft...delete it. -There are three ways to get something done: (1) Do it yourself. (2) Hire someone to do it for you. (3) Forbid your kids to do it. |