I just compiled the lates SVN version of mediatomb (1546) and noticed a couple of issues with the stringbuffer.cc class. It reads and writes outside the allocated area.
concat(char *str, int length) behaves a little unexpectedly (IMHO) since it runs strlen to verify the length give as input, and the user must thus be sure to have a null-terminated buffer. At least one of the users of this method does not do that (read_text_file), and this strlen reads outside the buffer. I removed the call to strlen as the length given should be used, and it will only reduce allocated memory if the length was wrong. But how concat should behave is really up to you, so either remove strlen or make sure that all callers terminates their buffers.
The rest is some off by one errors when terminating the buffer, and thus writing outside the allocated area.
Also some rewrites from *(data + len) to data[len] to use only one of the mechanisms in this class (cleaner).
Log in to post a comment.