We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 2871 - stack corruption in read_config_file()
Summary: stack corruption in read_config_file()
Status: RESOLVED ENDOFLIFE
Alias: None
Product: SDL_sound
Classification: Unclassified
Component: everything (show other bugs)
Version: unspecified
Hardware: x86 Linux
: P2 normal
Assignee: Ryan C. Gordon
QA Contact: Ryan C. Gordon
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-08 17:04 UTC by Ozkan Sezer
Modified: 2018-08-02 08:47 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ozkan Sezer 2015-02-08 17:04:33 UTC 
There is a stack corruption in read_config_file() where the
words index for the w[] array becomes equal to MAXWORDS. The
following simple patch fixes it.

diff -r 719dade41745 decoders/timidity/timidity.c
--- a/decoders/timidity/timidity.c	Wed Aug 15 23:52:18 2012 -0400
+++ b/decoders/timidity/timidity.c	Sun Feb 08 19:00:41 2015 +0200
@@ -113,8 +113,10 @@ static int read_config_file(char *name)
     if (*w[0] == '#')
         continue;
 
-    while (w[words] && *w[words] != '#' && (words < MAXWORDS))
-      w[++words]=strtok(0," \t\240");
+    while (w[words] && *w[words] != '#') {
+      if (++words == MAXWORDS) break;
+      w[words]=strtok(NULL, " \t\240");
+    }
 
         /*
          * TiMidity++ adds a number of extensions to the config file format.
Comment 1 Ozkan Sezer 2018-08-02 08:47:01 UTC 
This is obsolete now