When the user uses an external firmware image, there is a call to getpathnoext() in firmware.cpp:571 in order to generate a file name for the saved firmware config file.
The size of the MMU.fw.userfile char buffer is only 260, as declared in mc.h:73. However, getpathnoext() expects the buffer size to be MAX_PATH, which is declared as 1024 in types.h:77. The buffer overflow occurs in path.h:293 with the call to strncpy(), which copies 1024 chars into MMU.fw.userfile, which is only 260 chars.
This patch fixes this bug by setting the MMU.fw.userfile char buffer to a size of MAX_PATH. This is consistent with the char buffers used for the other file names.
Log in to post a comment.