From 4eeca53fd60da56aa46788487cb308a88b2f9cae Mon Sep 17 00:00:00 2001 From: svenhoefer Date: Thu, 24 May 2012 21:06:28 +0200 Subject: [PATCH] - eitd: fix possible buffer overflow while writing egp-data (patch by FlatTV) --- src/eitd/sectionsd.cpp | 8 +++----- src/eitd/xmlutil.cpp | 23 +++++++++++------------ 2 files changed, 14 insertions(+), 17 deletions(-) diff --git a/src/eitd/sectionsd.cpp b/src/eitd/sectionsd.cpp index 7b576c0f7..69889143b 100644 --- a/src/eitd/sectionsd.cpp +++ b/src/eitd/sectionsd.cpp @@ -1177,14 +1177,12 @@ static void commandWriteSI2XML(int connfd, char *data, const unsigned dataLength sendEmptyResponse(connfd, NULL, 0); if ((!reader_ready) || (dataLength > 100)){ eventServer->sendEvent(CSectionsdClient::EVT_WRITE_SI_FINISHED, CEventServer::INITID_SECTIONSD); - return; + return; } - char epgdir[100] = ""; - strncpy(epgdir, data, dataLength); - epgdir[dataLength] = '\0'; + data[dataLength] = '\0'; - writeEventsToFile(epgdir); + writeEventsToFile(data); eventServer->sendEvent(CSectionsdClient::EVT_WRITE_SI_FINISHED, CEventServer::INITID_SECTIONSD); } diff --git a/src/eitd/xmlutil.cpp b/src/eitd/xmlutil.cpp index c5f2a7b58..0595e01b7 100644 --- a/src/eitd/xmlutil.cpp +++ b/src/eitd/xmlutil.cpp @@ -448,24 +448,23 @@ static void write_indexxml_footer(FILE *fd) void writeEventsToFile(char *epgdir) { FILE * indexfile = NULL; - FILE * eventfile =NULL; - char filename[100] = ""; - char tmpname[100] = ""; + FILE * eventfile = NULL; + std::string filename(""); + std::string tmpname(""); char eventname[17] = ""; t_original_network_id onid = 0; t_transport_stream_id tsid = 0; t_service_id sid = 0; deleteOldfileEvents(epgdir); + tmpname = (std::string)epgdir + "/index.tmp"; - sprintf(tmpname, "%s/index.tmp", epgdir); - - if (!(indexfile = fopen(tmpname, "w"))) { - printf("[sectionsd] unable to open %s for writing\n", tmpname); + if (!(indexfile = fopen(tmpname.c_str(), "w"))) { + printf("[sectionsd] unable to open %s for writing\n", tmpname.c_str()); return; } - printf("[sectionsd] Writing Information to file: %s\n", tmpname); + printf("[sectionsd] Writing Information to file: %s\n", tmpname.c_str()); write_index_xml_header(indexfile); @@ -483,8 +482,8 @@ void writeEventsToFile(char *epgdir) tsid = (*e)->transport_stream_id; sid = (*e)->service_id; snprintf(eventname, 17, "%04x%04x%04x.xml", onid, tsid, sid); - sprintf(filename, "%s/%s", epgdir, eventname); - if (!(eventfile = fopen(filename, "w"))) { + filename = (std::string)epgdir + "/" + (std::string)eventname; + if (!(eventfile = fopen(filename.c_str(), "w"))) { goto _done; } fprintf(indexfile, "\t\n", eventname); @@ -501,9 +500,9 @@ _done: printf("[sectionsd] Writing Information finished\n"); - sprintf(filename, "%s/index.xml", epgdir); + filename = (std::string)epgdir + "/index.xml"; - rename(tmpname, filename); + rename(tmpname.c_str(), filename.c_str()); return ; }