Patch from Melchior Franz:

at several places material was copied to "buffer" using strncpy
without adding a closing '\0'. This again lead to access to non
initialized memory and potentially (and actually at least in one
case) to feeding garbage to atof(). In case the following garbage
happened to start with digits, we would get funny time
values.  :-)
   I just added the obligatory "buffer[n] = 0", which doesn't
really look professional now. Maybe we should use the string
class or define a helper function that strncopies =and= adds
a trailing zero?
   The last hunk fixes another buglet, that wasn't dangerous
at all, but caused an error message. The loop that should cut
the string at hash marks ('#') did neither stop at such, nor at
string ends. It always scanned the whole 256 character long
buffer and accessed uninitialized memory. valgrind doesn't
like that. I dropped the 256 counter, because fgets =does=
add the closing zero. It is safe to scan until we either
get the zero or the hash mark.

diff --git a/simgear/timing/timezone.cxx b/simgear/timing/timezone.cxx
index f0d914043c77d07747a754cb7651a2ab7324bd0e..29ef5df0ef5f2c865a21f7ff145651b432f33572 100644 (file)
--- a/simgear/timing/timezone.cxx
+++ b/simgear/timing/timezone.cxx
@@ -62,13 +62,16 @@ Timezone::Timezone(const char *infoString) :
     char sign;
     sign = latlon[0];
     strncpy(buffer, &latlon[1], 2);
+    buffer[2] = 0;
     lat = atof(buffer);
     strncpy(buffer, &latlon[3], 2);
+    buffer[2] = 0;
     lat += (atof(buffer) / 60);
     int nextPos;
     if (strlen(latlon) > 12) {
         nextPos = 7;
         strncpy(buffer, &latlon[5], 2);
+        buffer[2] = 0;
         lat += (atof(buffer) / 3600.0);
     } else {
         nextPos = 5;
@@ -80,6 +83,7 @@ Timezone::Timezone(const char *infoString) :
     sign = latlon[nextPos];
     nextPos++;
     strncpy(buffer, &latlon[nextPos], 3);
+    buffer[3] = 0;
     lon = atof(buffer);
     nextPos += 3;
     strncpy(buffer, &latlon[nextPos], 2);
@@ -89,6 +93,7 @@ Timezone::Timezone(const char *infoString) :
     if (strlen(latlon) > 12) {
         nextPos += 2;
         strncpy(buffer, &latlon[nextPos], 2); 
+        buffer[2] = 0;
         lon +=  (atof (buffer) / 3600.00);
     }
     if (sign == '-') {
@@ -136,10 +141,11 @@ TimezoneContainer::TimezoneContainer(const char *filename)
             if( buffer[0] == '#' )
                continue;
 #else
-            for (int i = 0; i < 256; i++) {
-                if (buffer[i] == '#') {
-                    buffer[i] = 0;
-                }
+            for (char *p = buffer; *p; p++) {
+                if (*p == '#') {
+                    *p = 0;
+                    break;
+                }    
             }
 #endif
             if (buffer[0]) {