Hi, I found some buffer overflow vulnerability in audiolib.c.
In line 717, the program gets 'audio_dev_name' from an environment variable, and call system_error when fail to open file.
audio_dev_name = getenv("LAV_AUDIO_DEV"); if(!audio_dev_name) audio_dev_name = "/dev/dsp"; if(audio_capt) fd=open(audio_dev_name, O_RDONLY, 0); else fd=open(audio_dev_name, O_RDWR, 0); if (fd<0) system_error(audio_dev_name,fd,1);
In system_error, there are sprintf calls to build an error string with no length check. Since the size of error_string is fixed to 4096, if a malicious attack manipulates environment variable with a large string, stack buffer overflow can occur.
if(use_strerror) sprintf((char*)shmemptr->error_string, "Error %s - %s",str,strerror(errno)); else sprintf((char*)shmemptr->error_string, "Error %s",str);
Hallo,
there is now a fix in the SVN that addresses that problem:
https://sourceforge.net/p/mjpeg/Code/3496/
Take a look at it, lookes good for me and adresses the problem,