Bug 739844 – examples: use snprintf instead of sprintf which is vulnerable

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 739844 - examples: use snprintf instead of sprintf which is vulnerable


Summary:	examples: use snprintf instead of sprintf which is vulnerable


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-bad
Version:	git master
Hardware:	Other All

Importance:	Normal minor
Target Milestone:	1.5.1
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2014-11-09 14:39 UTC by Hyunjun Ko
Modified:	2014-11-09 19:30 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Use snprintf instead of sprintf which is vulnerable (1.31 KB, patch) 2014-11-09 14:40 UTC, Hyunjun Ko	none	Details \| Review
Use snprintf instead of sprintf which is vulnerable (1.31 KB, patch) 2014-11-09 14:44 UTC, Hyunjun Ko	rejected	Details \| Review

Description Hyunjun Ko 2014-11-09 14:39:22 UTC

There are some places using sprintf, which deos not check buffer boundary.
I replaced them to using snprintf.

Comment 1 Hyunjun Ko 2014-11-09 14:40:28 UTC

Created attachment 290272 [details] [review]
Use snprintf instead of sprintf which is vulnerable

I replaced them to using snprintf.

Comment 2 Hyunjun Ko 2014-11-09 14:44:52 UTC

Created attachment 290273 [details] [review]
Use snprintf instead of sprintf which is vulnerable

Comment 3 Nicolas Dufresne (ndufresne) 2014-11-09 19:22:25 UTC

This is a test, so not really a vulnerability. Also, be careful if you find a real vulnerability, this isn't the appropriate way to submit these. Use the CVE process.

Comment 4 Tim-Philipp Müller 2014-11-09 19:28:00 UTC

Thanks for the patch, but in this case I think the whole example should just be removed:

commit f07de37ad181a6b106b2d0c2003a61ab14e711bc
Author: Tim-Philipp Müller <tim@centricular.com>
Date:   Sun Nov 9 19:23:47 2014 +0000

    examples: remove pointless mpegtsmux example
    
    Serves no purpose, is not even hooked up to the
    build system, has hard coded file names and paths,
    and can easily be replaced with a gst-launch line.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=739844

Comment 5 Nicolas Dufresne (ndufresne) 2014-11-09 19:30:20 UTC

*** Bug 739846 has been marked as a duplicate of this bug. ***