On Sun, Sep 29, 2002 at 04:38:54PM -0400, William T. Mahan wrote:
> Hi,
>
> While working with the Oscar prpl I came across a few places that used
> sprintf with a fixed-size buffer. I don't think this is a big deal
> because the untrusted data usually passes through the BOS server,
> which probably places restrictions on the lengths of screennames and
> the like.
>
> However, it doesn't appear that Gaim checks the lengths of incoming
> TLVs, and now that direct TCP connections to other clients are
> supported, I think it's important to handle any outside data
> carefully. The attached patch changes the sprintf()s to snprintf()s.
>
> Also, if this is not the best place for someone without CVS commit
> access to send these sorts of small patches, just let me
> know.
sending patches here is fine, especially for bug fix patches. posting
them to sourceforge though allows people to test patches that we might
want to wait a while before committing, if, say, other things are
happening to the body of code modified at the time.
luke
--
-This email is made of 100% recycled electrons.
-If something can go wrong.... FIX IT!
If it's Microsoft...delete it.
-There are three ways to get something done:
(1) Do it yourself.
(2) Hire someone to do it for you.
(3) Forbid your kids to do it.
|
