Crashes in various mythtv menus
Status: Alpha
Brought to you by:
gettler
Menu
▾
▴
#22 Crashes in various mythtv menus
In mythtv.c component, there are several uses of sprintf to construct strings to be displayed. All of these are susceptible to buffer overflow errors when the program in question has a longer title, description etc. These all cause mvpmc to crash and restart.
I first noticed this in the "Delete Recordings" screen, which would randomly crash and restart. After some playing around, I discovered that the crash occurred on programs which had a long description. Many of the programs in my MythTV recordings list have descriptions of 500 or more characters, but the code that tries to display this is allocated a total of 400 bytes for the entire string, clearly inadequate.
The attached patch changes 6 instances of poor use of sprintf with a fixed-length buffer to instead use snprintf with a maximum length of "sizeof(buf) - 1".
The current Myth functionality is almost unusable for me without these fixes.
Note that we need to use sizeof(buf) - 1 to account for the added null char on the end of the string - there are some instances of snprintf already in this file that use sizeof(buf) and these are WRONG, because adding the null on the end could blow the buffer. I haven't fixed these in this patch, but I can do if someone wants me to!
Logged In: YES
user_id=705463
Originator: NO
Whilst your statement about sizeof(buf) -1 would be correct for strncpy, however snprintf interprets its size argument a lot more sensibly. To quote man snprintf:
"The functions snprintf() and vsnprintf() do not write more
than size bytes (including the trailing ’\0’)."
So you don't need a -1 when calling snprintf.
Logged In: YES
user_id=705463
Originator: NO
Patch applied, with - 1 bits removed.