From d2921e9444aeeb6b23f94721071caa606eaa6d95 Mon Sep 17 00:00:00 2001 From: ejurgensen Date: Sun, 22 Sep 2019 20:27:47 +0200 Subject: [PATCH] [pipe] Harden pict_tmpfile_recreate() against invalid input --- src/inputs/pipe.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/inputs/pipe.c b/src/inputs/pipe.c index 71e19dd2..adbbbc06 100644 --- a/src/inputs/pipe.c +++ b/src/inputs/pipe.c @@ -318,12 +318,19 @@ static int pict_tmpfile_recreate(struct pipe_metadata *pm, const char *ext) { int offset = strlen(PIPE_TMPFILE_TEMPLATE) - PIPE_TMPFILE_TEMPLATE_EXTLEN; + int len = strlen(ext); + + if (len > PIPE_TMPFILE_TEMPLATE_EXTLEN) + { + DPRINTF(E_LOG, L_PLAYER, "Invalid extension provided to pict_tmpfile_recreate (len=%d): '%s'\n", len, ext); + return -1; + } pict_tmpfile_close(pm); strcpy(pm->pict_tmpfile_path, PIPE_TMPFILE_TEMPLATE); // Use memcpy instead of strncpy because gcc 8 gives false warnings otherwise - memcpy(pm->pict_tmpfile_path + offset, ext, PIPE_TMPFILE_TEMPLATE_EXTLEN); + memcpy(pm->pict_tmpfile_path + offset, ext, len); pm->pict_tmpfile_fd = mkstemps(pm->pict_tmpfile_path, PIPE_TMPFILE_TEMPLATE_EXTLEN);