From 4401dcaa2814a310f24f2bb7dd7b38b0d0071445 Mon Sep 17 00:00:00 2001 From: Charles Kerr Date: Wed, 24 Feb 2010 04:23:36 +0000 Subject: [PATCH] (trunk libT) #2965: "buffer overflow if too many tr= args in a magnet link" -- fixed in trunk for 1.92. thanks to pjz for the patch. --- libtransmission/magnet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libtransmission/magnet.c b/libtransmission/magnet.c index 6ccd9191f..bff04c29a 100644 --- a/libtransmission/magnet.c +++ b/libtransmission/magnet.c @@ -151,10 +151,10 @@ tr_magnetParse( const char * uri ) if( ( keylen==2 ) && !memcmp( key, "dn", 2 ) ) displayName = tr_http_unescape( val, vallen ); - if( ( keylen==2 ) && !memcmp( key, "tr", 2 ) ) + if( ( keylen==2 ) && !memcmp( key, "tr", 2 ) && ( trCount < MAX_TRACKERS ) ) tr[trCount++] = tr_http_unescape( val, vallen ); - if( ( keylen==2 ) && !memcmp( key, "ws", 2 ) ) + if( ( keylen==2 ) && !memcmp( key, "ws", 2 ) && ( wsCount < MAX_TRACKERS ) ) ws[wsCount++] = tr_http_unescape( val, vallen ); walk = next != NULL ? next + 1 : NULL;