In multiple files (text.cpp, serve.cpp, parse.cpp), channelno buffer is allocated with insufficient size (7 or 8 bytes), but sprintf writes up to 12 bytes.
// text.cpp, serve.cpp, etc.
char channelno[8]; // or [7] in some files
// c->major and c->minor are uint16_t (max 65535)
// "65535.65535" = 11 chars + 1 null terminator = 12 bytes
if (c->major + c->minor > 1)
sprintf(channelno, "%d.%d", c->major, c->minor);
this causes a stack buffer overflow when processing streams with high channel IDs.
Locations:
- libdvbtee_server/text.cpp: lines 296, 353, 418
- libdvbtee_server/serve.cpp: line 921
- libdvbtee/parse.cpp: line 1029
Fix: Increase buffer size to at least 16 bytes and use snprintf.
In multiple files (text.cpp, serve.cpp, parse.cpp), channelno buffer is allocated with insufficient size (7 or 8 bytes), but sprintf writes up to 12 bytes.
// text.cpp, serve.cpp, etc.char channelno[8]; // or [7] in some files// c->major and c->minor are uint16_t (max 65535)// "65535.65535" = 11 chars + 1 null terminator = 12 bytesif (c->major + c->minor > 1)sprintf(channelno, "%d.%d", c->major, c->minor);this causes a stack buffer overflow when processing streams with high channel IDs.
Locations:
Fix: Increase buffer size to at least 16 bytes and use snprintf.