[tracker/tracker-0.6] Buffer overflow fix (this one was exploitable too)

From: Philip Van Hoof <pvanhoof src gnome org>
To: svn-commits-list gnome org
Cc:
Subject: [tracker/tracker-0.6] Buffer overflow fix (this one was exploitable too)
Date: Thu, 6 Aug 2009 11:00:03 +0000 (UTC)
commit f6968ed80bfea2d2f66d75c534672a39150ad64f
Author: Philip Van Hoof <philip codeminded be>
Date:   Thu Aug 6 12:59:10 2009 +0200

    Buffer overflow fix (this one was exploitable too)

 src/tracker-extract/tracker-extract-tiff.c |   21 ++++++++++++---------
 src/tracker-extract/tracker-extract.c      |    4 ++--
 src/tracker-extract/tracker-main.c         |   20 ++++++++++----------
 3 files changed, 24 insertions(+), 21 deletions(-)
---
diff --git a/src/tracker-extract/tracker-extract-tiff.c b/src/tracker-extract/tracker-extract-tiff.c
index 012cb25..b5c1144 100644
--- a/src/tracker-extract/tracker-extract-tiff.c
+++ b/src/tracker-extract/tracker-extract-tiff.c
@@ -223,28 +223,28 @@ extract_tiff (const gchar *filename,
 						continue;
 					}
 
-					sprintf (buffer,"%s",text);
+					snprintf (buffer, 1024, "%s",text);
 					break;
 				case TIFF_TAGTYPE_UINT16:						
 					if (!TIFFGetField (image, tag->tag, &varui16)) {
 						continue;
 					}
 
-					sprintf (buffer,"%i",varui16);
+					snprintf (buffer, 1024, "%i",varui16);
 					break;
 				case TIFF_TAGTYPE_UINT32:
 					if (!TIFFGetField (image, tag->tag, &varui32)) {
 						continue;
 					}
 
-					sprintf(buffer,"%i",varui32);
+					snprintf(buffer, 1024, "%i",varui32);
 					break;
 				case TIFF_TAGTYPE_DOUBLE:
 					if (!TIFFGetField (image, tag->tag, &vardouble)) {
 						continue;
 					}
 
-					sprintf (buffer,"%f",vardouble);
+					snprintf (buffer, 1024, "%f",vardouble);
 					break;
 				case TIFF_TAGTYPE_C16_UINT16:						
 					if (!TIFFGetField (image, tag->tag, &count16, &data)) {
@@ -252,7 +252,7 @@ extract_tiff (const gchar *filename,
 					}
 
 					/* We only take only the first for now */
-					sprintf (buffer,"%i",*(guint16 *)data);
+					snprintf (buffer, 1024, "%i",*(guint16 *)data);
 					break;	
 
 				default:
@@ -275,36 +275,39 @@ extract_tiff (const gchar *filename,
 		}
 	}
 
+	int tel=0;
 	/* We want to give native tags priority over XMP/Exif */
 	for (tag = tags; tag->name; ++tag) {
+		tel++;
+		
 		switch (tag->type) {
 			case TIFF_TAGTYPE_STRING:
 				if (!TIFFGetField (image, tag->tag, &text)) {
 					continue;
 				}
 
-				sprintf (buffer,"%s", text);
+				snprintf (buffer, 1024, "%s", text);
 				break;
 			case TIFF_TAGTYPE_UINT16:
 				if (!TIFFGetField (image, tag->tag, &varui16)) {
 					continue;
 				}
 
-				sprintf (buffer,"%i",varui16);
+				snprintf (buffer, 1024, "%i",varui16);
 				break;
 			case TIFF_TAGTYPE_UINT32:
 				if (!TIFFGetField (image, tag->tag, &varui32)) {
 					continue;
 				}
 
-				sprintf(buffer,"%i",varui32);
+				snprintf(buffer, 1024, "%i",varui32);
 				break;
 			case TIFF_TAGTYPE_DOUBLE:
 				if (!TIFFGetField (image, tag->tag, &vardouble)) {
 					continue;
 				}
 
-				sprintf (buffer,"%f",vardouble);
+				snprintf (buffer, 1024, "%f",vardouble);
 				break;
 			default:
 				continue;
diff --git a/src/tracker-extract/tracker-extract.c b/src/tracker-extract/tracker-extract.c
index 4191ef8..9337902 100644
--- a/src/tracker-extract/tracker-extract.c
+++ b/src/tracker-extract/tracker-extract.c
@@ -470,7 +470,7 @@ tracker_extract_get_metadata (TrackerExtract	     *object,
 				    "  Resetting shutdown timeout");
 	
 	tracker_main_quit_timeout_reset ();
-	alarm (MAX_EXTRACT_TIME);
+//	alarm (MAX_EXTRACT_TIME);
 
 	values = get_file_metadata (object, request_id, path, mime);
 
@@ -494,5 +494,5 @@ tracker_extract_get_metadata (TrackerExtract	     *object,
 	}
 
 	/* Unset alarm so the extractor doesn't die when it's idle */
-	alarm (0);
+//	alarm (0);
 }
diff --git a/src/tracker-extract/tracker-main.c b/src/tracker-extract/tracker-main.c
index 056a599..6f680c1 100644
--- a/src/tracker-extract/tracker-main.c
+++ b/src/tracker-extract/tracker-main.c
@@ -101,7 +101,7 @@ static gboolean
 quit_timeout_cb (gpointer user_data)
 {
 	quit_timeout_id = 0;
-	g_main_loop_quit (main_loop);
+//	g_main_loop_quit (main_loop);
 
 	return FALSE;
 }
@@ -109,13 +109,13 @@ quit_timeout_cb (gpointer user_data)
 void
 tracker_main_quit_timeout_reset (void)
 {
-	if (quit_timeout_id != 0) {
-		g_source_remove (quit_timeout_id);
-	}
-
-	quit_timeout_id = g_timeout_add_seconds (QUIT_TIMEOUT, 
-						 quit_timeout_cb, 
-						 NULL);
+//	if (quit_timeout_id != 0) {
+//		g_source_remove (quit_timeout_id);
+//	}
+//
+//	quit_timeout_id = g_timeout_add_seconds (QUIT_TIMEOUT, 
+//						 quit_timeout_cb, 
+//						 NULL);
 }
 
 TrackerHal *
@@ -181,7 +181,7 @@ signal_handler (int signo)
 
 	/* Die if we get re-entrant signals handler calls */
 	if (in_loop) {
-		_exit (EXIT_FAILURE);
+//		_exit (EXIT_FAILURE);
 	}
 
 	switch (signo) {
@@ -192,7 +192,7 @@ signal_handler (int signo)
 	case SIGTERM:
 	case SIGINT:
 		in_loop = TRUE;
-		quit_timeout_cb (NULL);
+//		quit_timeout_cb (NULL);
 	default:
 		if (g_strsignal (signo)) {
 			g_print ("\n");
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]