We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 2872 - possible stack corruption in read_config_file()
Summary: possible stack corruption in read_config_file()
Status: RESOLVED DUPLICATE of bug 2966
Alias: None
Product: SDL_mixer
Classification: Unclassified
Component: misc (show other bugs)
Version: unspecified
Hardware: x86 Linux
: P2 normal
Assignee: Ryan C. Gordon
QA Contact: Sam Lantinga
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-08 17:27 UTC by Ozkan Sezer
Modified: 2015-05-05 05:13 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ozkan Sezer 2015-02-08 17:27:45 UTC 
There is a stack corruption in read_config_file() where the
words index for the w[] array becomes equal to MAXWORDS. The
following simple patch fixes it.

diff -r b28b41b93ba7 timidity/timidity.c
--- a/timidity/timidity.c	Sat Nov 29 14:42:02 2014 -0800
+++ b/timidity/timidity.c	Sun Feb 08 19:27:08 2015 +0200
@@ -56,10 +56,10 @@ static int read_config_file(const char *
     line++;
     w[words=0]=strtok(tmp, " \t\r\n\240");
     if (!w[0] || (*w[0]=='#')) continue;
-    while (w[words] && (words < MAXWORDS))
+    while (w[words] && *w[words]!='#')
       {
-        w[++words]=strtok(0," \t\r\n\240");
-        if (w[words] && w[words][0]=='#') break;
+        if (++words == MAXWORDS) break;
+        w[words]=strtok(NULL, " \t\r\n\240");
       }
     if (!strcmp(w[0], "map")) continue;
     if (!strcmp(w[0], "dir"))
Comment 1 Sam Lantinga 2015-05-05 05:13:04 UTC 
This is a duplicate of bug 2966

*** This bug has been marked as a duplicate of bug 2966 ***