On Wed, 23 Jan 2008, Bryan Childs wrote:

> The version that Nico had in albumart.c of strip_extension() used to
> take a length argument for the filename. Changing it to use the
> existing implementation of strip_extension used everywhere else in
> Rockbox meant ditching that argument - so the strcpy() in the
> strip_extension() function being used now *could* cause a buffer
> overflow if the destination buffer you pass in is shorter than the
> filename. However, as albumart.c only calls strip_extension() once,
> and the destination buffer's size is MAX_PATH + 1, I don't really see
> how this could actually occur.

The strip_extension call itself is fine, but see what happens after that
call in albumart.c. The two calls to strcat following strip_extension are
no longer safe.

  Magnus
Received on 2008-01-23