[Fix] Avoid possible out of bounds memory access.

2014-05-19 19:54:12 +01:00 · 2014-05-19 19:54:12 +01:00 · 252f2f87b7
commit 252f2f87b7
parent ee7667be6d
3 changed files with 8 additions and 4 deletions
--- a/src/ai.c
+++ b/src/ai.c
@ -389,7 +389,9 @@ int ai_init(void) {
  suflen = strlen(AI_SUFFIX);
  for(i = 0; i < nfiles; i++) {
    flen = strlen(files[i]);
-    if(strncmp(&files[i][flen-suflen], AI_SUFFIX, suflen)==0) {
+    if((flen > suflen) &&
        strncmp(&files[i][flen-suflen], AI_SUFFIX, suflen)==0) {
      snprintf(path, PATH_MAX, AI_PREFIX"%s", files[i]);
      if(ai_loadProfile(path)) /* Load the profile. */
        WARN("Error loading AI profile '%s'", path);
--- a/src/music.c
+++ b/src/music.c
@ -180,7 +180,9 @@ static int music_find(void) {
  suflen = strlen(MUSIC_SUFFIX);
  for(i = 0; i < nfiles; i++) {
    flen = strlen(files[i]);
-    if(strncmp(&files[i][flen - suflen], MUSIC_SUFFIX, suflen)==0) {
+    if((flen > suflen) &&
        strncmp(&files[i][flen - suflen], MUSIC_SUFFIX, suflen)==0) {
      /* Grow the selection size. */
      nmusic_selection++;
      if(nmusic_selection > mem) {
--- a/src/sound.c
+++ b/src/sound.c
@ -442,8 +442,8 @@ static int sound_makeList(void) {
  suflen = strlen(SOUND_SUFFIX);
  for(i = 0; i < nfiles; i++) {
    flen = strlen(files[i]);
-    if(strncmp(&files[i][flen - suflen],
+    if((flen > suflen) &&
-          SOUND_SUFFIX, suflen)==0) {
+        strncmp(&files[i][flen - suflen], SOUND_SUFFIX, suflen)==0) {
      /* Expand the selection size. */
      sound_nlist++;