In mythtv.c component, there are several uses of sprintf to construct strings to be displayed. All of these are susceptible to buffer overflow errors when the program in question has a longer title, description etc. These all cause mvpmc to crash and restart.
I first noticed this in the "Delete Recordings" screen, which would randomly crash and restart. After some playing around, I discovered that the crash occurred on programs which had a long description. Many of the programs in my MythTV recordings list have descriptions of 500 or more characters, but the code that tries to display this is allocated a total of 400 bytes for the entire string, clearly inadequate.
The attached patch changes 6 instances of poor use of sprintf with a fixed-length buffer to instead use snprintf with a maximum length of "sizeof(buf) - 1".
The current Myth functionality is almost unusable for me without these fixes.
Note that we need to use sizeof(buf) - 1 to account for the added null char on the end of the string - there are some instances of snprintf already in this file that use sizeof(buf) and these are WRONG, because adding the null on the end could blow the buffer. I haven't fixed these in this patch, but I can do if someone wants me to!
Logged In: YES
user_id=705463
Originator: NO
Whilst your statement about sizeof(buf) -1 would be correct for strncpy, however snprintf interprets its size argument a lot more sensibly. To quote man snprintf:
"The functions snprintf() and vsnprintf() do not write more
than size bytes (including the trailing ’\0’)."
So you don't need a -1 when calling snprintf.
Logged In: YES
user_id=705463
Originator: NO
Patch applied, with - 1 bits removed.