We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 2872

Summary: possible stack corruption in read_config_file()
Product: SDL_mixer Reporter: Ozkan Sezer <sezeroz>
Component: miscAssignee: Ryan C. Gordon <icculus>
Status: RESOLVED DUPLICATE QA Contact: Sam Lantinga <slouken>
Severity: normal    
Priority: P2    
Version: unspecified   
Hardware: x86   
OS: Linux   

Description Ozkan Sezer 2015-02-08 17:27:45 UTC 
There is a stack corruption in read_config_file() where the
words index for the w[] array becomes equal to MAXWORDS. The
following simple patch fixes it.

diff -r b28b41b93ba7 timidity/timidity.c
--- a/timidity/timidity.c	Sat Nov 29 14:42:02 2014 -0800
+++ b/timidity/timidity.c	Sun Feb 08 19:27:08 2015 +0200
@@ -56,10 +56,10 @@ static int read_config_file(const char *
     line++;
     w[words=0]=strtok(tmp, " \t\r\n\240");
     if (!w[0] || (*w[0]=='#')) continue;
-    while (w[words] && (words < MAXWORDS))
+    while (w[words] && *w[words]!='#')
       {
-        w[++words]=strtok(0," \t\r\n\240");
-        if (w[words] && w[words][0]=='#') break;
+        if (++words == MAXWORDS) break;
+        w[words]=strtok(NULL, " \t\r\n\240");
       }
     if (!strcmp(w[0], "map")) continue;
     if (!strcmp(w[0], "dir"))
Comment 1 Sam Lantinga 2015-05-05 05:13:04 UTC 
This is a duplicate of bug 2966

*** This bug has been marked as a duplicate of bug 2966 ***