On Wed, 23 Jan 2008, Bryan Childs wrote: > The version that Nico had in albumart.c of strip_extension() used to > take a length argument for the filename. Changing it to use the > existing implementation of strip_extension used everywhere else in > Rockbox meant ditching that argument - so the strcpy() in the > strip_extension() function being used now *could* cause a buffer > overflow if the destination buffer you pass in is shorter than the > filename. However, as albumart.c only calls strip_extension() once, > and the destination buffer's size is MAX_PATH + 1, I don't really see > how this could actually occur.
The strip_extension call itself is fine, but see what happens after that call in albumart.c. The two calls to strcat following strip_extension are no longer safe. Magnus
