From b40206b949651341857b2199ef291a222b3f08ed Mon Sep 17 00:00:00 2001 From: Fred Gleason Date: Mon, 23 Jul 2018 16:01:50 +0000 Subject: [PATCH] 2018-07-23 Fred Gleason * Fixed a buffer overflow vulnerability in the 'RDCddbLookup' class. --- ChangeLog | 2 ++ lib/rdcddblookup.cpp | 10 +++++----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index fc716a3b..526a36f8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17206,3 +17206,5 @@ * Incremented the database version to 295. * Refactored the log importer code to use the static 'IMPORTER_LINES' table. +2018-07-23 Fred Gleason + * Fixed a buffer overflow vulnerability in the 'RDCddbLookup' class. diff --git a/lib/rdcddblookup.cpp b/lib/rdcddblookup.cpp index fffa75fb..2b74fad5 100644 --- a/lib/rdcddblookup.cpp +++ b/lib/rdcddblookup.cpp @@ -138,7 +138,7 @@ void RDCddbLookup::readyReadData() switch(lookup_state) { case 0: // Login Banner if((code==200)||(code==201)) { - sprintf(buffer,"cddb hello %s %s %s %s", + snprintf(buffer,2048,"cddb hello %s %s %s %s", (const char *)lookup_username, (const char *)lookup_hostname, (const char *)lookup_appname, @@ -153,13 +153,13 @@ void RDCddbLookup::readyReadData() case 1: // Handshake Response if((code==200)||(code==402)) { - sprintf(buffer,"cddb query %08x %d", + snprintf(buffer,2048,"cddb query %08x %d", lookup_record->discId(),lookup_record->tracks()); for(int i=0;itracks();i++) { - sprintf(offset," %d",lookup_record->trackOffset(i)); + snprintf(offset,256," %d",lookup_record->trackOffset(i)); strcat(buffer,offset); } - sprintf(offset," %d",lookup_record->discLength()/75); + snprintf(offset,256," %d",lookup_record->discLength()/75); strcat(buffer,offset); SendToServer(buffer); lookup_state=2; @@ -182,7 +182,7 @@ void RDCddbLookup::readyReadData() start+=9; } lookup_record->setDiscTitle((const char *)line+start); - sprintf(buffer,"cddb read %s %08x\n", + snprintf(buffer,2048,"cddb read %s %08x\n", (const char *)lookup_record->discGenre(), lookup_record->discId()); SendToServer(buffer);