From 3238ba0e2f1a2109650f74d63be58b4813edbe50 Mon Sep 17 00:00:00 2001 From: ctf Date: Thu, 16 Apr 2026 09:31:33 +0800 Subject: [PATCH 1/2] tools: replace strcpy/strcat with snprintf Potential buffer overflow when concatenating strings to fixed-size 255-byte statusbar buffer. Fixes buffer overflow issue. --- src/tools/pw-top.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/tools/pw-top.c b/src/tools/pw-top.c index 4c8036622..302449a35 100644 --- a/src/tools/pw-top.c +++ b/src/tools/pw-top.c @@ -582,23 +582,24 @@ static void do_refresh(struct data *d, bool force_refresh) if (!d->batch_mode) { char statusbar[255] = { 0 }; + int len = 0; if (!((filter->state == PW_NODE_STATE_ERROR) && (filter->followers == PW_NODE_STATE_ERROR))) { - strcpy(statusbar, "FILTER: "); + len = snprintf(statusbar, sizeof(statusbar), "FILTER: "); if (filter->state == PW_NODE_STATE_ERROR) - strcat(statusbar, "ALL"); + len += snprintf(statusbar + len, sizeof(statusbar) - len, "ALL"); else for (enum pw_node_state showstate = PW_NODE_STATE_RUNNING; showstate >= PW_NODE_STATE_ERROR; showstate--) { if (showstate >= filter->state) - strcat(statusbar, state_as_string(showstate, SPA_IO_POSITION_STATE_STOPPED)); + len += snprintf(statusbar + len, sizeof(statusbar) - len, "%s", state_as_string(showstate, SPA_IO_POSITION_STATE_STOPPED)); } - strcat(statusbar, "+"); + len += snprintf(statusbar + len, sizeof(statusbar) - len, "+"); if (filter->followers == PW_NODE_STATE_ERROR) - strcat(statusbar, "ALL"); + len += snprintf(statusbar + len, sizeof(statusbar) - len, "ALL"); else for (enum pw_node_state showstate = PW_NODE_STATE_RUNNING; showstate >= PW_NODE_STATE_ERROR; showstate--) { if (showstate >= filter->followers) - strcat(statusbar, state_as_string(showstate, SPA_IO_POSITION_STATE_STOPPED)); + len += snprintf(statusbar + len, sizeof(statusbar) - len, "%s", state_as_string(showstate, SPA_IO_POSITION_STATE_STOPPED)); } } From d9fc432872fe3f1c8f5d6c1617b827e17f65e000 Mon Sep 17 00:00:00 2001 From: ctf Date: Thu, 16 Apr 2026 09:31:37 +0800 Subject: [PATCH 2/2] tools: replace strcpy with memcpy Potential buffer overflow in metadata_property function when copying strings. Fixes buffer overflow issue in string copying. --- src/tools/pw-dump.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/tools/pw-dump.c b/src/tools/pw-dump.c index 09643aa43..a870e4df0 100644 --- a/src/tools/pw-dump.c +++ b/src/tools/pw-dump.c @@ -1107,12 +1107,12 @@ static int metadata_property(void *data, e->subject = subject; e->key = SPA_PTROFF(e, sizeof(*e), void); - strcpy(e->key, key); - e->value = SPA_PTROFF(e->key, strlen(e->key) + 1, void); - strcpy(e->value, value); + memcpy(e->key, key, strlen(key) + 1); + e->value = SPA_PTROFF(e->key, strlen(key) + 1, void); + memcpy(e->value, value, strlen(value) + 1); if (type) { - e->type = SPA_PTROFF(e->value, strlen(e->value) + 1, void); - strcpy(e->type, type); + e->type = SPA_PTROFF(e->value, strlen(value) + 1, void); + memcpy(e->type, type, strlen(type) + 1); } else { e->type = NULL; }