Re: [PATCH 2/4] winex11: Avoid inefficiency and overflow in remove_startup_notification.

31 Oct 2015

      It seems like you're doing two unrelated things here? I'd expect the
process of building the string to send and sending it to be
independent.
...
 if ((src = strstr( id, "_TIME" ))) update_user_time( atol( src + 5 ));

pos = snprintf(message, sizeof(message), "remove: ID=");
message[pos++] = '"';
for (i = 0; id[i] && pos < sizeof(message) - 2; i++)

pos = sprintf(message, "remove: ID="");
for (i = 0; id[i]; i++)
{
    if (id[i] == '"' || id[i] == '\')
   {

       if (pos == sizeof(message) - 3) break;
       message[pos++] = '\\';

   }

   if (pos == sizeof(message) - 2) break;
   message[pos++] = id[i];

}
   message[pos++] = '"';
   message[pos++] = '\0';

Your use of == instead of > or >= in these checks makes me
uncomfortable. Given that a single iteration can increment pos twice,
why can't we have a situation where (pos > sizeof(message) - 3),
inside the if statement?
As for the memset, I didn't examine that as thoroughly, but it's a
good policy to not send uninitialized data over the wire. Still, we
could move the memset outside the loop and know that won't happen.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

Re: [PATCH 2/4] winex11: Avoid inefficiency and overflow in remove_startup_notification.