changeset 12646:9a495bdc3a1e

string handling security fixes patch by Nicholas Kain, Alexander Strasser <eclipse7@gmx.net> reviewed by Pontscho, Alex, Rich
author diego
date Fri, 25 Jun 2004 16:49:53 +0000
parents 3841ef14a481
children b910efb11192
files Gui/interface.c Gui/mplayer/common.c Gui/skin/font.c Gui/skin/skin.c configure libmenu/menu_console.c libmpdemux/cue_read.c libvo/vo_dxr3.c osdep/Makefile osdep/strl.c playtree.c subreader.c vidix/vidixlib.c
diffstat 13 files changed, 214 insertions(+), 84 deletions(-) [+]
line wrap: on
line diff
--- a/Gui/interface.c	Fri Jun 25 16:43:34 2004 +0000
+++ b/Gui/interface.c	Fri Jun 25 16:49:53 2004 +0000
@@ -54,8 +54,12 @@
  if ( *dest )
   {
    tmp=malloc( strlen( *dest ) + strlen( src ) + 1 );
-   strcpy( tmp,*dest ); strcat( tmp,src ); free( *dest ); 
-  }
+   
+   if ( tmp ) /* TODO: advanced error handling */
+    {
+     strcpy( tmp,*dest ); strcat( tmp,src ); free( *dest ); 
+    }
+   }
   else
    { tmp=malloc( strlen( src ) + 1 ); strcpy( tmp,src ); }
  *dest=tmp;
--- a/Gui/mplayer/common.c	Fri Jun 25 16:43:34 2004 +0000
+++ b/Gui/mplayer/common.c	Fri Jun 25 16:49:53 2004 +0000
@@ -32,35 +32,39 @@
 
 extern unsigned int GetTimerMS( void );
 
-inline void TranslateFilename( int c,char * tmp )
+inline void TranslateFilename( int c,char * tmp,size_t tmplen )
 {
  int i;
+ char * p;
+ 
  switch ( guiIntfStruct.StreamType )
   {
    case STREAMTYPE_STREAM:
-        strcpy( tmp,guiIntfStruct.Filename );
+        strlcpy(tmp, guiIntfStruct.Filename, tmplen);
         break;
    case STREAMTYPE_FILE:
           if ( ( guiIntfStruct.Filename )&&( guiIntfStruct.Filename[0] ) )
            {
-	    if ( strrchr( guiIntfStruct.Filename,'/' ) ) strncpy( tmp,strrchr( guiIntfStruct.Filename,'/' ) + 1, 511 );
-	     else strncpy( tmp,guiIntfStruct.Filename , 511);
+            if ( p = strrchr(guiIntfStruct.Filename, '/') )
+              strlcpy(tmp, p + 1, tmplen);
+            else
+              strlcpy(tmp, guiIntfStruct.Filename, tmplen);
             if ( tmp[strlen( tmp ) - 4] == '.' ) tmp[strlen( tmp ) - 4]=0;
             if ( tmp[strlen( tmp ) - 5] == '.' ) tmp[strlen( tmp ) - 5]=0;
-           } else strcpy( tmp,MSGTR_NoFileLoaded );
+           } else strlcpy( tmp,MSGTR_NoFileLoaded,tmplen );
           break;
 #ifdef USE_DVDREAD
    case STREAMTYPE_DVD:
-          if ( guiIntfStruct.DVD.current_chapter ) sprintf( tmp,MSGTR_Chapter,guiIntfStruct.DVD.current_chapter );
-            else strcat( tmp,MSGTR_NoChapter );
+          if ( guiIntfStruct.DVD.current_chapter ) snprintf(tmp,tmplen,MSGTR_Chapter,guiIntfStruct.DVD.current_chapter );
+            else strlcat( tmp,MSGTR_NoChapter,tmplen );
           break;
 #endif
 #ifdef HAVE_VCD
    case STREAMTYPE_VCD:
-        sprintf( tmp,MSGTR_VCDTrack,guiIntfStruct.Track );
+        snprintf( tmp,tmplen,MSGTR_VCDTrack,guiIntfStruct.Track );
 	break;
 #endif
-   default: strcpy( tmp,MSGTR_NoMediaOpened );
+   default: strlcpy( tmp,MSGTR_NoMediaOpened,tmplen );
   }
  if ( c )
   {
@@ -74,75 +78,94 @@
   }
 }
 
+/* Unsafe!  Pass only null-terminated strings as (char *)str. */
 char * Translate( char * str )
 {
  static char   trbuf[512];
         char   tmp[512];
         int    i,c;
         int    t;
+        int    strsize = 0;
  memset( trbuf,0,512 );
  memset( tmp,0,128 );
- for ( c=0,i=0;i < (int)strlen( str );i++ )
+ strsize = strlen(str);
+ for ( c=0,i=0;i < strsize;i++ )
   {
    if ( str[i] != '$' ) { trbuf[c++]=str[i]; trbuf[c]=0; }
     else
     {
      switch ( str[++i] )
       {
-       case 't': sprintf( tmp,"%02d",guiIntfStruct.Track ); strcat( trbuf,tmp ); break;
-       case 'o': TranslateFilename( 0,tmp ); strcat( trbuf,tmp ); break;
-       case 'f': TranslateFilename( 1,tmp ); strcat( trbuf,tmp ); break;
-       case 'F': TranslateFilename( 2,tmp ); strcat( trbuf,tmp ); break;
+       case 't': snprintf( tmp,sizeof( tmp ),"%02d",guiIntfStruct.Track );
+		 strlcat( trbuf,tmp,sizeof( trbuf ) ); break;
+       case 'o': TranslateFilename( 0,tmp,sizeof( tmp ) );
+		 strlcat( trbuf,tmp,sizeof( trbuf ) ); break;
+       case 'f': TranslateFilename( 1,tmp,sizeof( tmp ) );
+		 strlcat( trbuf,tmp,sizeof( trbuf ) ); break;
+       case 'F': TranslateFilename( 2,tmp,sizeof( tmp ) );
+		 strlcat( trbuf,tmp,sizeof( trbuf ) ); break;
        case '6': t=guiIntfStruct.LengthInSec; goto calclengthhhmmss;
        case '1': t=guiIntfStruct.TimeSec;
 calclengthhhmmss:
-            sprintf( tmp,"%02d:%02d:%02d",t/3600,t/60%60,t%60 ); strcat( trbuf,tmp );
+            snprintf( tmp,sizeof( tmp ),"%02d:%02d:%02d",t/3600,t/60%60,t%60 );
+            strlcat( trbuf,tmp,sizeof( trbuf ) );
             break;
        case '7': t=guiIntfStruct.LengthInSec; goto calclengthmmmmss;
        case '2': t=guiIntfStruct.TimeSec;
 calclengthmmmmss:
-            sprintf( tmp,"%04d:%02d",t/60,t%60 ); strcat( trbuf,tmp );
+            snprintf( tmp,sizeof( tmp ),"%04d:%02d",t/60,t%60 );
+            strlcat( trbuf,tmp,sizeof( trbuf ) );
             break;
-       case '3': sprintf( tmp,"%02d",guiIntfStruct.TimeSec / 3600 ); strcat( trbuf,tmp ); break;
-       case '4': sprintf( tmp,"%02d",( ( guiIntfStruct.TimeSec / 60 ) % 60 ) ); strcat( trbuf,tmp ); break;
-       case '5': sprintf( tmp,"%02d",guiIntfStruct.TimeSec % 60 ); strcat( trbuf,tmp ); break;
-       case '8': sprintf( tmp,"%01d:%02d:%02d",guiIntfStruct.TimeSec / 3600,( guiIntfStruct.TimeSec / 60 ) % 60,guiIntfStruct.TimeSec % 60 ); strcat( trbuf,tmp ); break;
-       case 'v': sprintf( tmp,"%3.2f%%",guiIntfStruct.Volume ); strcat( trbuf,tmp ); break;
-       case 'V': sprintf( tmp,"%3.1f",guiIntfStruct.Volume ); strcat( trbuf,tmp ); break;
-       case 'b': sprintf( tmp,"%3.2f%%",guiIntfStruct.Balance ); strcat( trbuf,tmp ); break;
-       case 'B': sprintf( tmp,"%3.1f",guiIntfStruct.Balance ); strcat( trbuf,tmp ); break;
-       case 'd': sprintf( tmp,"%d",guiIntfStruct.FrameDrop ); strcat( trbuf,tmp ); break;
-       case 'x': sprintf( tmp,"%d",guiIntfStruct.MovieWidth ); strcat( trbuf,tmp ); break;
-       case 'y': sprintf( tmp,"%d",guiIntfStruct.MovieHeight ); strcat( trbuf,tmp ); break;
-       case 'C': sprintf( tmp,"%s", guiIntfStruct.sh_video? ((sh_video_t *)guiIntfStruct.sh_video)->codec->name : "");
-                 strcat( trbuf,tmp ); break;
-       case 's': if ( guiIntfStruct.Playing == 0 ) strcat( trbuf,"s" ); break;
-       case 'l': if ( guiIntfStruct.Playing == 1 ) strcat( trbuf,"p" ); break;
-       case 'e': if ( guiIntfStruct.Playing == 2 ) strcat( trbuf,"e" ); break;
+       case '3': snprintf( tmp,sizeof( tmp ),"%02d",guiIntfStruct.TimeSec / 3600 );
+		 strlcat( trbuf,tmp,sizeof( trbuf ) ); break;
+       case '4': snprintf( tmp,sizeof( tmp ),"%02d",( ( guiIntfStruct.TimeSec / 60 ) % 60 ) );
+		 strlcat( trbuf,tmp,sizeof( trbuf ) ); break;
+       case '5': snprintf( tmp,sizeof( tmp ),"%02d",guiIntfStruct.TimeSec % 60 );
+		 strlcat( trbuf,tmp,sizeof( trbuf ) ); break;
+       case '8': snprintf( tmp,sizeof( tmp ),"%01d:%02d:%02d",guiIntfStruct.TimeSec / 3600,( guiIntfStruct.TimeSec / 60 ) % 60,guiIntfStruct.TimeSec % 60 ); strlcat( trbuf,tmp,sizeof( trbuf ) ); break;
+       case 'v': snprintf( tmp,sizeof( tmp ),"%3.2f%%",guiIntfStruct.Volume );
+		 strlcat( trbuf,tmp,sizeof( trbuf ) ); break;
+       case 'V': snprintf( tmp,sizeof( tmp ),"%3.1f",guiIntfStruct.Volume );
+		 strlcat( trbuf,tmp,sizeof( trbuf ) ); break;
+       case 'b': snprintf( tmp,sizeof( tmp ),"%3.2f%%",guiIntfStruct.Balance );
+		 strlcat( trbuf,tmp,sizeof( trbuf ) ); break;
+       case 'B': snprintf( tmp,sizeof( tmp ),"%3.1f",guiIntfStruct.Balance );
+		 strlcat( trbuf,tmp,sizeof( trbuf ) ); break;
+       case 'd': snprintf( tmp,sizeof( tmp ),"%d",guiIntfStruct.FrameDrop );
+		 strlcat( trbuf,tmp,sizeof( trbuf ) ); break;
+       case 'x': snprintf( tmp,sizeof( tmp ),"%d",guiIntfStruct.MovieWidth );
+		 strlcat( trbuf,tmp,sizeof( trbuf ) ); break;
+       case 'y': snprintf( tmp,sizeof( tmp ),"%d",guiIntfStruct.MovieHeight );
+		 strlcat( trbuf,tmp,sizeof( trbuf ) ); break;
+       case 'C': snprintf( tmp,sizeof( tmp ),"%s", guiIntfStruct.sh_video? ((sh_video_t *)guiIntfStruct.sh_video)->codec->name : "");
+                 strlcat( trbuf,tmp,sizeof( trbuf ) ); break;
+       case 's': if ( guiIntfStruct.Playing == 0 ) strlcat( trbuf,"s",sizeof( trbuf ) ); break;
+       case 'l': if ( guiIntfStruct.Playing == 1 ) strlcat( trbuf,"p",sizeof( trbuf ) ); break;
+       case 'e': if ( guiIntfStruct.Playing == 2 ) strlcat( trbuf,"e",sizeof( trbuf ) ); break;
        case 'a':
-            if ( muted ) { strcat( trbuf,"n" ); break; }
+            if ( muted ) { strlcat( trbuf,"n",sizeof( trbuf ) ); break; }
             switch ( guiIntfStruct.AudioType )
              {
-              case 0: strcat( trbuf,"n" ); break;
-              case 1: strcat( trbuf,"m" ); break;
-              case 2: strcat( trbuf,"t" ); break;
+              case 0: strlcat( trbuf,"n",sizeof( trbuf ) ); break;
+              case 1: strlcat( trbuf,"m",sizeof( trbuf ) ); break;
+              case 2: strlcat( trbuf,"t",sizeof( trbuf ) ); break;
              }
             break;
        case 'T':
            switch ( guiIntfStruct.StreamType )
             {
-             case STREAMTYPE_FILE:   strcat( trbuf,"f" ); break;
+             case STREAMTYPE_FILE:   strlcat( trbuf,"f",sizeof( trbuf ) ); break;
 #ifdef HAVE_VCD
-             case STREAMTYPE_VCD:    strcat( trbuf,"v" ); break;
+             case STREAMTYPE_VCD:    strlcat( trbuf,"v",sizeof( trbuf ) ); break;
 #endif
-             case STREAMTYPE_STREAM: strcat( trbuf,"u" ); break;
+             case STREAMTYPE_STREAM: strlcat( trbuf,"u",sizeof( trbuf ) ); break;
 #ifdef USE_DVDREAD
-             case STREAMTYPE_DVD:    strcat( trbuf,"d" ); break;
+             case STREAMTYPE_DVD:    strlcat( trbuf,"d",sizeof( trbuf ) ); break;
 #endif
-             default:                strcat( trbuf," " ); break;
+             default:                strlcat( trbuf," ",sizeof( trbuf ) ); break;
             }
            break;
-       case '$': strcat( trbuf,"$" ); break;
+       case '$': strlcat( trbuf,"$",sizeof( trbuf ) ); break;
        default: continue;
       }
      c=strlen( trbuf );
--- a/Gui/skin/font.c	Fri Jun 25 16:43:34 2004 +0000
+++ b/Gui/skin/font.c	Fri Jun 25 16:49:53 2004 +0000
@@ -27,7 +27,7 @@
 
  if ( ( Fonts[id]=calloc( 1,sizeof( bmpFont ) ) ) == NULL ) return -1;
 
- strcpy( Fonts[id]->name,name );
+ strlcpy( Fonts[id]->name,name,128 ); // FIXME: as defined in font.h
  for ( i=0;i<256;i++ ) 
    Fonts[id]->Fnt[i].x=Fonts[id]->Fnt[i].y=Fonts[id]->Fnt[i].sx=Fonts[id]->Fnt[i].sy=-1;
 
@@ -60,7 +60,8 @@
  
  if ( id < 0 ) return id;
 
- strcpy( tmp,path ); strcat( tmp,fname ); strcat( tmp,".fnt" );
+ strlcpy( tmp,path,sizeof( tmp ) );
+ strlcat( tmp,fname,sizeof( tmp ) ); strlcat( tmp,".fnt",sizeof( tmp ) );
  if ( ( f=fopen( tmp,"rt" ) ) == NULL ) 
    { free( Fonts[id] ); return -3; }
    
@@ -93,7 +94,7 @@
      {
       if ( !strcmp( command,"image" ) )
        {
-        strcpy( tmp,path ); strcat( tmp,param );
+        strlcpy( tmp,path,sizeof( tmp )  ); strlcat( tmp,param,sizeof( tmp ) );
         mp_dbg( MSGT_GPLAYER,MSGL_DBG2,"[font] font imagefile: %s\n",tmp );
         if ( skinBPRead( tmp,&Fonts[id]->Bitmap ) ) return -4;
        }
--- a/Gui/skin/skin.c	Fri Jun 25 16:43:34 2004 +0000
+++ b/Gui/skin/skin.c	Fri Jun 25 16:49:53 2004 +0000
@@ -116,7 +116,7 @@
 {
  CHECKDEFLIST( "window" );
 
- strcpy( window_name,strlower( in ) );
+ strlcpy( window_name,strlower( in ),sizeof( window_name ) );
  if ( !strncmp( in,"main",4 ) ) { currSection=&skinAppMPlayer->main; currSubItem=&skinAppMPlayer->NumberOfItems; currSubItems=skinAppMPlayer->Items; }
   else if ( !strncmp( in,"sub",3 ) ) currSection=&skinAppMPlayer->sub;
    else if ( !strncmp( in,"playbar",7 ) ) { currSection=&skinAppMPlayer->bar; currSubItem=&skinAppMPlayer->NumberOfBarItems; currSubItems=skinAppMPlayer->barItems; }
@@ -147,7 +147,7 @@
    defList->main.x=x;
    defList->main.y=y;
    defList->main.type=itBase;
-   strcpy( tmp,path ); strcat( tmp,fname );
+   strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, fname, sizeof( tmp )); 
    if ( skinBPRead( tmp,&defList->main.Bitmap ) ) return 1;
    defList->main.width=defList->main.Bitmap.Width;
    defList->main.height=defList->main.Bitmap.Height;
@@ -162,7 +162,7 @@
  if ( !strcmp( window_name,"sub" ) )
   {
    defList->sub.type=itBase;
-   strcpy( tmp,path ); strcat( tmp,fname );
+   strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, fname, sizeof( tmp )); 
    if ( skinBPRead( tmp,&defList->sub.Bitmap ) ) return 1;
    defList->sub.x=x;
    defList->sub.y=y;
@@ -179,7 +179,7 @@
   {
    defList->menuIsPresent=1;
    defList->menuBase.type=itBase;
-   strcpy( tmp,path ); strcat( tmp,fname );
+   strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, fname, sizeof( tmp )); 
    if ( skinBPRead( tmp,&defList->menuBase.Bitmap ) ) return 1;
    defList->menuBase.width=defList->menuBase.Bitmap.Width;
    defList->menuBase.height=defList->menuBase.Bitmap.Height;
@@ -197,7 +197,7 @@
    defList->bar.x=x;
    defList->bar.y=y;
    defList->bar.type=itBase;
-   strcpy( tmp,path ); strcat( tmp,fname );
+   strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, fname, sizeof( tmp )); 
    if ( skinBPRead( tmp,&defList->bar.Bitmap ) ) return 1;
    defList->bar.width=defList->bar.Bitmap.Width;
    defList->bar.height=defList->bar.Bitmap.Height;
@@ -268,7 +268,7 @@
  currSubItems[ *currSubItem ].Bitmap.Image=NULL;
  if ( strcmp( fname,"NULL" ) )
   {
-   strcpy( tmp,path ); strcat( tmp,fname );
+   strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, fname, sizeof( tmp )); 
    if ( skinBPRead( tmp,&currSubItems[ *currSubItem ].Bitmap ) ) return 1;
   }
 
@@ -289,7 +289,7 @@
 
  cutItem( in,fname,',',0 );
  defList->menuSelected.type=itBase;
- strcpy( tmp,path ); strcat( tmp,fname );
+ strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, fname, sizeof( tmp )); 
  mp_dbg( MSGT_GPLAYER,MSGL_DBG2,"\n[skin] selected: %s\n",fname );
  if ( skinBPRead( tmp,&defList->menuSelected.Bitmap ) ) return 1;
  defList->menuSelected.width=defList->menuSelected.Bitmap.Width;
@@ -381,14 +381,14 @@
  item->Bitmap.Image=NULL;
  if ( strcmp( phfname,"NULL" ) )
   {
-   strcpy( tmp,path ); strcat( tmp,phfname );
+   strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, phfname, sizeof( tmp )); 
    if ( skinBPRead( tmp,&item->Bitmap ) ) return 1;
   }
 
  item->Mask.Image=NULL;
  if ( strcmp( pfname,"NULL" ) )
   {
-   strcpy( tmp,path ); strcat( tmp,pfname );
+   strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, pfname, sizeof( tmp )); 
    if ( skinBPRead( tmp,&item->Mask ) ) return 1;
   }
  return 0;
@@ -445,7 +445,7 @@
  item->Bitmap.Image=NULL;
  if ( strcmp( phfname,"NULL" ) )
   {
-   strcpy( tmp,path ); strcat( tmp,phfname );
+   strlcpy(tmp, path, sizeof( tmp )); strlcat(tmp, phfname, sizeof( tmp )); 
    if ( skinBPRead( tmp,&item->Bitmap ) ) return 1;
   }
  return 0;
@@ -655,7 +655,12 @@
 FILE * skinFile;
 
 void setname( char * item1, char * item2 )
-{ strcpy( fn,item1 ); strcat( fn,"/" ); strcat( fn,item2 ); strcpy( path,fn ); strcat( path,"/" ); strcat( fn,"/skin" ); }
+{
+  strlcpy(fn, item1, sizeof( fn ));
+  strlcat(fn, "/", sizeof( fn )); strlcat(fn, item2, sizeof( fn ));
+  strlcpy(path, fn, sizeof( path )); strlcat(path, "/", sizeof( path ));
+  strlcat(fn, "/skin", sizeof( fn ));
+}
 
 int skinRead( char * dname )
 {
--- a/configure	Fri Jun 25 16:43:34 2004 +0000
+++ b/configure	Fri Jun 25 16:49:53 2004 +0000
@@ -2712,6 +2712,34 @@
 fi
 echores "$_strsep"
 
+echocheck "strlcpy()"
+cat > $TMPC << EOF
+#include <string.h>
+int main (void) { char *s = "Hello, world!", t[20]; (void) strlcpy(t, s, sizeof( t )); return 0; }
+EOF
+_strlcpy=no
+cc_check && _strlcpy=yes
+if test "$_strlcpy" = yes ; then
+ _def_strlcpy='#define HAVE_STRLCPY 1'
+else
+ _def_strlcpy='#undef HAVE_STRLCPY'
+fi
+echores "$_strlcpy"
+
+echocheck "strlcat()"
+cat > $TMPC << EOF
+#include <string.h>
+int main (void) { char *s = "Hello, world!", t[20]; (void) strlcat(t, s, sizeof( t )); return 0; }
+EOF
+_strlcat=no
+cc_check && _strlcat=yes
+if test "$_strlcat" = yes ; then
+ _def_strlcat='#define HAVE_STRLCAT 1'
+else
+ _def_strlcat='#undef HAVE_STRLCAT'
+fi
+echores "$_strlcat"
+
 echocheck "fseeko()"
 cat > $TMPC << EOF
 #include <stdio.h>
@@ -6336,6 +6364,18 @@
 /* Define this if your system has strsep */
 $_def_strsep
 
+/* Define this if your system has strlcpy */
+$_def_strlcpy
+#ifndef HAVE_STRLCPY
+unsigned int strlcpy (char *dest, char *src, unsigned int size);
+#endif
+
+/* Define this if your system has strlcat */
+$_def_strlcat
+#ifndef HAVE_STRLCAT
+unsigned int strlcat (char *dest, char *src, unsigned int size);
+#endif
+
 /* Define this if your system has fseeko */
 $_def_fseeko
 #ifndef HAVE_FSEEKO
--- a/libmenu/menu_console.c	Fri Jun 25 16:43:34 2004 +0000
+++ b/libmenu/menu_console.c	Fri Jun 25 16:49:53 2004 +0000
@@ -150,8 +150,10 @@
     return;
   }
   priv->lines[ll] = realloc(priv->lines[ll],strlen(priv->lines[ll]) + strlen(l) + 1);
-  strcat(priv->lines[ll],l);
-  
+  if ( priv->lines[ll] != NULL )
+  {
+    strcat(priv->lines[ll],l);
+  }
 }
 
 static void draw(menu_t* menu, mp_image_t* mpi) {
--- a/libmpdemux/cue_read.c	Fri Jun 25 16:43:34 2004 +0000
+++ b/libmpdemux/cue_read.c	Fri Jun 25 16:49:53 2004 +0000
@@ -135,6 +135,10 @@
 
 
 
+/* FIXME: the string operations ( strcpy,strcat ) below depend
+ * on the arrays to have the same size, thus we need to make
+ * sure the sizes are in sync.
+ */
 int cue_find_bin (char *firstline) {
   int i,j;
   char s[256];
@@ -178,7 +182,7 @@
            bin_filename);
 
     /* now try to find it with the path of the cue file */
-    sprintf(s,"%s/%s",bincue_path, bin_filename);
+    snprintf(s,sizeof( s ),"%s/%s",bincue_path,bin_filename);
     fd_bin = open (s, O_RDONLY);
     if (fd_bin == -1)
     {
@@ -195,7 +199,7 @@
                "[bincue] bin filename tested: %s\n", s);
 
         /* ok try it with path */
-        sprintf(t,"%s/%s",bincue_path, s);
+        snprintf(t, sizeof( t ), "%s/%s", bincue_path, s);
         fd_bin = open (t, O_RDONLY);
         if (fd_bin == -1)
         {
@@ -211,7 +215,7 @@
             mp_msg(MSGT_OPEN,MSGL_STATUS,
                    "[bincue] bin filename tested: %s \n", s);
             /* ok try it with path */
-            sprintf(t,"%s/%s",bincue_path, s);
+            snprintf(t, sizeof( t ), "%s/%s", bincue_path, s);
             fd_bin = open (t, O_RDONLY);
             if (fd_bin == -1)
             {
@@ -299,15 +303,16 @@
        strcpy(t, "/");
   }
   printf ("dirname: %s\n", t);
-  strcpy(bincue_path,t);
+  strlcpy(bincue_path,t,sizeof( bincue_path ));
 
 
   /* no path at all? */
   if (strcmp(bincue_path, ".") == 0) {
     printf ("bincue_path: %s\n", bincue_path);
-    strcpy(cue_filename,in_cue_filename);
+    strlcpy(cue_filename,in_cue_filename,sizeof( cue_filename ));
   } else {
-    strcpy(cue_filename,in_cue_filename + strlen(bincue_path) + 1);
+    strlcpy(cue_filename,in_cue_filename + strlen(bincue_path) + 1,
+            sizeof( cue_filename ));
   }
 
 
--- a/libvo/vo_dxr3.c	Fri Jun 25 16:43:34 2004 +0000
+++ b/libvo/vo_dxr3.c	Fri Jun 25 16:49:53 2004 +0000
@@ -175,12 +175,14 @@
 int dxr3_device_num = 0;
 int dxr3_norm = 0;
 
+#define MAX_STR_SIZE 80 /* length for the static strings  */
+
 /* File descriptors */
 static int fd_control = -1;
 static int fd_video = -1;
 static int fd_spu = -1;
-static char fdv_name[80];
-static char fds_name[80];
+static char fdv_name[MAX_STR_SIZE];
+static char fds_name[MAX_STR_SIZE];
 
 #ifdef SPU_SUPPORT
 /* on screen display/subpics */
@@ -865,7 +867,7 @@
 
 static uint32_t preinit(const char *arg)
 {
-	char devname[80];
+	char devname[MAX_STR_SIZE];
 	int fdflags = O_WRONLY;
 
 	/* Parse commandline */
@@ -1136,13 +1138,13 @@
     int j;
 	
     if(!p) {
-	strcpy(fname,getenv("HOME"));
-	strcat(fname,"/.overlay");	    
+	strlcpy(fname, getenv("HOME"), sizeof( fname ));
+	strlcat(fname,"/.overlay", sizeof( fname ));	    
     } else
-	strcpy(fname,p);
+	strlcpy(fname, p, sizeof( fname ));
     
     sprintf(tmp,"/res_%dx%dx%d",o->xres,o->yres,o->depth);
-    strcat(fname,tmp);
+    strlcat(fname, tmp, sizeof( fname ));
 
     if(!(fp=fopen(fname,"r")))
 	return -1;
@@ -1199,10 +1201,10 @@
     int i,j;
 	
     if(!p) {
-	strcpy(fname,getenv("HOME"));
-	strcat(fname,"/.overlay");	    
+	strlcpy(fname, getenv("HOME"), sizeof( fname ));
+	strlcat(fname,"/.overlay", sizeof( fname ));	    
     } else
-	strcpy(fname,p);
+	strlcpy(fname, p, sizeof( fname ));
 
     if(access(fname, W_OK|X_OK|R_OK)) {
 	if(mkdir(fname,0766))
@@ -1210,7 +1212,7 @@
     }	
     
     sprintf(tmp,"/res_%dx%dx%d",o->xres,o->yres,o->depth);
-    strcat(fname,tmp);
+    strlcat(fname, tmp, sizeof( fname ));
     
     if(!(fp=fopen(fname,"w")))
 	return -1;
--- a/osdep/Makefile	Fri Jun 25 16:43:34 2004 +0000
+++ b/osdep/Makefile	Fri Jun 25 16:49:53 2004 +0000
@@ -3,7 +3,8 @@
 
 LIBNAME = libosdep.a
 
-SRCS= shmem.c strsep.c vsscanf.c scandir.c gettimeofday.c fseeko.c # timer.c
+SRCS= shmem.c strsep.c strl.c vsscanf.c scandir.c gettimeofday.c fseeko.c \
+      # timer.c
 
 ifeq ($(TARGET_ARCH_X86),yes)
 ifeq ($(TARGET_OS),Linux)
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/osdep/strl.c	Fri Jun 25 16:49:53 2004 +0000
@@ -0,0 +1,47 @@
+/* strl(cat|cpy) implementation for systems that do not have it in libc */
+/* strl.c - strlcpy/strlcat implementation
+ * Time-stamp: <2004-03-14 njk>
+ * (C) 2003-2004 Nicholas J. Kain <njk@aerifal.cx>
+ */
+
+#include "../config.h"
+
+#ifndef HAVE_STRLCPY
+unsigned int strlcpy (char *dest, char *src, unsigned int size)
+{
+	register unsigned int i;
+
+	for (i=0; size > 0 && src[i] != '\0'; ++i, size--)
+		dest[i] = src[i];
+
+	dest[i] = '\0';
+
+	return i;
+}
+#endif
+
+#ifndef HAVE_STRLCAT
+unsigned int strlcat (char *dest, char *src, unsigned int size)
+{
+#if 0
+	register unsigned int i, j;
+
+	for(i=0; size > 0 && dest[i] != '\0'; size--, i++);
+	for(j=0; size > 0 && src[j] != '\0'; size--, i++, j++)
+		dest[i] = src[j];
+
+	dest[i] = '\0';
+	return i;
+#else
+	register char *d = dest, *s = src;
+
+	for (; size > 0 && *d != '\0'; size--, d++);
+	for (; size > 0 && *s != '\0'; size--, d++, s++)
+		*d = *s;
+
+	*d = '\0';
+	return (d - dest) + (s - src);
+#endif 
+}
+#endif
+
--- a/playtree.c	Fri Jun 25 16:43:34 2004 +0000
+++ b/playtree.c	Fri Jun 25 16:49:53 2004 +0000
@@ -936,7 +936,7 @@
 
 void pt_add_gui_file(play_tree_t** ppt, char* path, char* file)
 {
-  char* wholename = malloc(strlen(path)+strlen(file)+3);
+  char* wholename = malloc(strlen(path)+strlen(file)+2);
 
   if (wholename)
   {
--- a/subreader.c	Fri Jun 25 16:43:34 2004 +0000
+++ b/subreader.c	Fri Jun 25 16:49:53 2004 +0000
@@ -1133,7 +1133,7 @@
   while (l){
      char *ip = icbuffer;
      char *op = sub->text[--l];
-     strcpy(ip, op);
+     strlcpy(ip, op, ICBUFFSIZE);
      ileft = strlen(ip);
      oleft = ICBUFFSIZE - 1;
 		
--- a/vidix/vidixlib.c	Fri Jun 25 16:43:34 2004 +0000
+++ b/vidix/vidixlib.c	Fri Jun 25 16:49:53 2004 +0000
@@ -122,8 +122,8 @@
   unsigned (*_ver)(void);
   int      (*_probe)(int,int);
   int      (*_cap)(vidix_capability_t*);
-  strcpy(drv_name,path);
-  strcat(drv_name,name);
+  strlcpy(drv_name,path, sizeof( drv_name ));
+  strlcat(drv_name,name, sizeof( drv_name ));
   if(verbose) printf("vidixlib: PROBING: %s\n",drv_name);
   if(!(t_vdl(stream)->handle = dlopen(drv_name,RTLD_LAZY|RTLD_GLOBAL)))
   {
@@ -194,8 +194,8 @@
     unsigned (*ver)(void);
     int (*probe)(int,int);
     unsigned version = 0;
-    strcpy(drv_name,path);
-    strcat(drv_name,name);
+    strlcpy(drv_name,path, sizeof( drv_name ));
+    strlcat(drv_name,name, sizeof( drv_name ));
     if(!(t_vdl(stream)->handle = dlopen(drv_name,RTLD_NOW|RTLD_GLOBAL)))
     {
       if (verbose)