From 0063257a2bf4284b50945f337b81db951cfad364 Mon Sep 17 00:00:00 2001
From: Max Horn
Date: Mon, 31 Oct 2005 01:50:51 +0000
Subject: Fix another HOME buffer overflow attack vector

svn-id: r19376
---
 base/gameDetector.cpp     | 7 ++++---
 common/config-manager.cpp | 5 +++--
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/base/gameDetector.cpp b/base/gameDetector.cpp
index 08bd53281e..8d8705dda2 100644
--- a/base/gameDetector.cpp
+++ b/base/gameDetector.cpp
@@ -176,8 +176,9 @@ GameDetector::GameDetector() {
 	char savePath[MAXPATHLEN];
 #ifdef UNIX
 	struct stat sb;
-	if (getenv("HOME") != NULL) {
-		snprintf(savePath, MAXPATHLEN, "%s/%s", getenv("HOME"), DEFAULT_SAVE_PATH);
+	const char *home = getenv("HOME");
+	if (home != NULL && strlen(home) < MAXPATHLEN) {
+		snprintf(savePath, MAXPATHLEN, "%s/%s", home, DEFAULT_SAVE_PATH);
 		if (stat(savePath, &sb) == -1) {
 			/* create the dir if it does not exist */
 			if (errno == ENOENT) {
@@ -344,7 +345,7 @@ void GameDetector::parseCommandLine(int argc, char **argv) {
 	// handled here, just before the command line gets parsed.
 #if !defined(MACOS_CARBON) && !defined(_WIN32_WCE) && !defined(PALMOS_MODE)
 	const char *dir = getenv("SCUMMVM_SAVEPATH");
-	if (dir && *dir) {
+	if (dir && *dir && strlen(dir) < 1024) {
 		// TODO: Verify whether the path is valid
 		settings["savepath"] = dir;
 	}
diff --git a/common/config-manager.cpp b/common/config-manager.cpp
index 08edb25240..995d9d601a 100644
--- a/common/config-manager.cpp
+++ b/common/config-manager.cpp
@@ -92,8 +92,9 @@ ConfigManager::ConfigManager() {
 void ConfigManager::loadDefaultConfigFile() {
 	char configFile[MAXPATHLEN];
 #if defined(UNIX)
-	if (getenv("HOME") != NULL)
-		sprintf(configFile,"%s/%s", getenv("HOME"), DEFAULT_CONFIG_FILE);
+	const char *home = getenv("HOME");
+	if (home != NULL && strlen(home) < MAXPATHLEN)
+		snprintf(configFile, MAXPATHLEN, "%s/%s", home, DEFAULT_CONFIG_FILE);
 	else
 		strcpy(configFile, DEFAULT_CONFIG_FILE);
 #else
-- 
cgit v1.2.3