aplay: fix buffer overflow and tainted format string

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



alsa-project/alsa-utils pull request #246 was opened from szsam:

Prior this commit, memcpy from names[0] to format[] will overwrite if strlen(names[0]) is greater than 1024. Also, the length of malloc()ed names[channel] is insufficient, leading to another buffer overwriting when calling sprintf(). Moreover, the format string of sprintf() can be controlled by user input. An attacker can exploit this weakness to crash the program, disclose information or even execute arbitrary code.

Fix by allocating enough space for arrays and using constant expressions as the format strings.

Request URL   : https://github.com/alsa-project/alsa-utils/pull/246
Patch URL     : https://github.com/alsa-project/alsa-utils/pull/246.patch
Repository URL: https://github.com/alsa-project/alsa-utils



[Index of Archives]     [ALSA User]     [Linux Audio Users]     [Pulse Audio]     [Kernel Archive]     [Asterisk PBX]     [Photo Sharing]     [Linux Sound]     [Video 4 Linux]     [Gimp]     [Yosemite News]

  Powered by Linux