[xine-cvs] CVS: xine-lib/src/libsputext xine_decoder.c,1.84,1.85

[Michael R. <mr...@us...>]

Update of /cvsroot/xine/xine-lib/src/libsputext
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv20162/src/libsputext

Modified Files:
	xine_decoder.c 
Log Message:
* font name stored in an unprotected buffer, configuring a long font name
  would have caused an overflow
* using strncpy is good, but if the buffer is too short, it leaves the
  string unterminated; fixed


Index: xine_decoder.c
===================================================================
RCS file: /cvsroot/xine/xine-lib/src/libsputext/xine_decoder.c,v
retrieving revision 1.84
retrieving revision 1.85
diff -u -r1.84 -r1.85
--- xine_decoder.c	14 Jul 2004 18:51:29 -0000	1.84
+++ xine_decoder.c	22 Jul 2004 14:21:31 -0000	1.85
@@ -295,7 +295,8 @@
   update_font_size(this, 0);
   
   if( strcmp(this->font, this->class->font) ) {
-    strcpy(this->font, this->class->font);
+    strncpy(this->font, this->class->font, FONTNAME_SIZE);
+    this->font[FONTNAME_SIZE - 1] = '\0';
     if( this->renderer )
       this->renderer->set_font (this->osd, this->class->font, this->font_size);
   }
@@ -323,14 +324,17 @@
             char *p=this->text[line];
             for(b=0;b<chunks;b++) {
               char *c;
-              if(b==chunks-1) /* if we are reading the last chunk, copy it completly */
+              if(b==chunks-1) { /* if we are reading the last chunk, copy it completly */
                 strncpy(this->text[line+b],p,SUB_BUFSIZE);
-              else {
+                this->text[line+b][SUB_BUFSIZE - 1] = '\0';
+              } else {
                 for(c=p+(int)(len/chunks)+(len%chunks?1:0);*c!=' ' && c>p && c!='\0';c--);
                 if(*c==' ') {
                   *c='\0';
-                  if(b) /* we are reading something that has to be moved to another line */
+                  if(b) { /* we are reading something that has to be moved to another line */
                     strncpy(this->text[line+b],p,SUB_BUFSIZE);
+                    this->text[line+b][SUB_BUFSIZE - 1] = '\0';
+                  }
                   p=c+1;
                 }
               }
@@ -361,13 +365,15 @@
           char *p=buf;
           for(b=0;b<chunks;b++) {
             char *c;
-            if(b==chunks-1) /* if we are reading the last chunk, copy it completly */
+            if(b==chunks-1) { /* if we are reading the last chunk, copy it completly */
               strncpy(this->text[b],p,SUB_BUFSIZE);
-            else {
+              this->text[b][SUB_BUFSIZE - 1] = '\0';
+            } else {
               for(c=p+(int)(len/chunks)+(len%chunks?1:0);*c!=' ' && c>p && c!='\0';c--);
               if(*c==' ') {
                 *c='\0';
                 strncpy(this->text[b],p,SUB_BUFSIZE);
+                this->text[b][SUB_BUFSIZE - 1] = '\0';
                 p=c+1;
               }
             }
@@ -403,14 +409,17 @@
             char *p=this->text[line];
             for(b=0;b<chunks;b++) {
               char *c;
-              if(b==chunks-1) /* if we are reading the last chunk, copy it completly */
+              if(b==chunks-1) { /* if we are reading the last chunk, copy it completly */
                 strncpy(this->text[line+b],p,SUB_BUFSIZE);
-              else {
+                this->text[line+b][SUB_BUFSIZE - 1] = '\0';
+              } else {
                 for(c=p+(int)(len/chunks)+(len%chunks?1:0);*c!=' ' && c>p && c!='\0';c--);
                 if(*c==' ') {
                   *c='\0';
-                  if(b) /* we are reading something that has to be moved to another line */
+                  if(b) { /* we are reading something that has to be moved to another line */
                     strncpy(this->text[line+b],p,SUB_BUFSIZE);
+                    this->text[line+b][SUB_BUFSIZE - 1] = '\0';
+                  }
                   p=c+1;
                 }
               }
@@ -441,13 +450,15 @@
           char *p=buf;
           for(b=0;b<chunks;b++) {
             char *c;
-            if(b==chunks-1) /* if we are reading the last chunk, copy it completly */
+            if(b==chunks-1) { /* if we are reading the last chunk, copy it completly */
               strncpy(this->text[b],p,SUB_BUFSIZE);
-            else {
+              this->text[b][SUB_BUFSIZE - 1] = '\0';
+            } else {
               for(c=p+(int)(len/chunks)+(len%chunks?1:0);*c!=' ' && c>p && c!='\0';c--);
               if(*c==' ') {
                 *c='\0';
                 strncpy(this->text[b],p,SUB_BUFSIZE);
+                this->text[b][SUB_BUFSIZE - 1] = '\0';
                 p=c+1;
               }
             }
@@ -748,7 +759,8 @@
 {
   sputext_class_t *class = (sputext_class_t *)class_gen;
 
-  strcpy(class->font, entry->str_value);
+  strncpy(class->font, entry->str_value, FONTNAME_SIZE);
+  class->font[FONTNAME_SIZE - 1] = '\0';
   
   xprintf(class->xine, XINE_VERBOSITY_DEBUG, "libsputext: spu_font = %s\n", class->font );
 }
@@ -840,13 +852,14 @@
 			      _("You can adjust the vertical position of the subtitle. "
 			        "The setting will be evaluated relative to the window size."),
 			      0, update_vertical_offset, this);
-  strcpy(this->font, xine->config->register_string(xine->config,
+  strncpy(this->font, xine->config->register_string(xine->config,
 				"misc.spu_font",
 				"sans",
 				_("font for subtitles"),
 				_("A font from the xine font directory to be used for the "
 				  "subtitle text."),
-				10, update_osd_font, this));
+				10, update_osd_font, this), FONTNAME_SIZE);
+  this->font[FONTNAME_SIZE - 1] = '\0';
   this->src_encoding  = xine->config->register_string(xine->config, 
 				"misc.spu_src_encoding", 
 				xine_guess_spu_encoding(),