Fix possible buffer overflow using strncat

+ Remove unnecessary getenv code

[Version] 0.11.13
[Profile] Common
[Issue Type] Security

Change-Id: Ief1e7f38562eacd4a4fea2e04bc726197c1d6d94

diff --git a/packaging/libmm-sound.spec b/packaging/libmm-sound.spec
index 86f1c45..3f1e120 100644 (file)
--- a/packaging/libmm-sound.spec
+++ b/packaging/libmm-sound.spec
@@ -1,6 +1,6 @@
 Name:       libmm-sound
 Summary:    MMSound Package contains client lib and sound_server binary
-Version:    0.11.12
+Version:    0.11.13
 Release:    0
 Group:      System/Libraries
 License:    Apache-2.0

diff --git a/server/mm_sound_plugin.c b/server/mm_sound_plugin.c
index 526b836..1f50045 100644 (file)
--- a/server/mm_sound_plugin.c
+++ b/server/mm_sound_plugin.c
@@ -260,7 +260,7 @@ static char* __strcatdup(const char *str1, const char *str2, const char *str3)
     if (!dest)
         return NULL;
     strncpy(dest, str1, len-1);
-    strncat(dest, str2, len-1);
-    strncat(dest, str3, len-1);
+    strncat(dest, str2, len-strlen(dest)-1);
+    strncat(dest, str3, len-strlen(dest)-1);
     return dest;
 }

diff --git a/server/mm_sound_server.c b/server/mm_sound_server.c
index c646024..a5e7a60 100644 (file)
--- a/server/mm_sound_server.c
+++ b/server/mm_sound_server.c
@@ -85,7 +85,6 @@ static void _mainloop_run()
 static int _get_option(int argc, char **argv, server_arg *arg)
 {
        int c;
-       char *plugin_env_dir = NULL;
        static struct option long_options[] = {
                {"start", 0, 0, 'S'},
                {"list", 0, 0, 'L'},
@@ -96,8 +95,7 @@ static int _get_option(int argc, char **argv, server_arg *arg)
        };
        memset(arg, 0, sizeof(server_arg));
 
-       plugin_env_dir = getenv(PLUGIN_ENV);
-       MMSOUND_STRNCPY(arg->plugdir, (plugin_env_dir? plugin_env_dir : PLUGIN_DIR), MAX_PLUGIN_DIR_PATH_LEN);
+       MMSOUND_STRNCPY(arg->plugdir, PLUGIN_DIR, MAX_PLUGIN_DIR_PATH_LEN);
 
        arg->testmode = 0;