diff options
| author | Pali Rohár <pali.rohar@gmail.com> | 2012-06-23 15:01:10 +0200 |
|---|---|---|
| committer | Pali Rohár <pali.rohar@gmail.com> | 2012-06-23 15:01:10 +0200 |
| commit | 5da30a5bc573fac6495a2364fafebfa70d1ae851 (patch) | |
| tree | 58af49b0be9b47250150f0a40adc80a07ac4f6d1 | |
| parent | 8fdba437af4fb14960e87724b2164ff28dc5da55 (diff) | |
| download | 0xFFFF-5da30a5bc573fac6495a2364fafebfa70d1ae851.tar.bz2 | |
Fix memory problems when unpacking fiasco images
| -rw-r--r-- | src/fiasco.c | 21 | ||||
| -rw-r--r-- | src/main.h | 2 |
2 files changed, 17 insertions, 6 deletions
diff --git a/src/fiasco.c b/src/fiasco.c index dd2c938..3f89da0 100644 --- a/src/fiasco.c +++ b/src/fiasco.c @@ -85,7 +85,10 @@ int openfiasco(const char *name, const char *piece_grep, int v) if (pdata[0] == 0xe8) { if (v) printf("Header: %s\n", pdata+2); } else if (pdata[0] == 0x31) { - strncpy(header.fwname, (char *)pdata+2, (int)pdata[1]); + i = pdata[1]; + if (i >= sizeof(header.fwname)) i = sizeof(header.fwname)-1; + memset(header.fwname, 0, sizeof(header.fwname)); + strncpy(header.fwname, (char *)pdata+2, i); if (v) printf("Name: %s\n", header.fwname); } else { if (v) printf("Unknown header 0x%x, length %d, data %s\n", pdata[0], pdata[1], pdata+2); @@ -123,7 +126,8 @@ int openfiasco(const char *name, const char *piece_grep, int v) printf(" [eof]\n"); break; } else if (v) printf(" %s\n", data); - strcpy(header.type, (char *)data); + memset(header.type, 0, sizeof(header.type)); + strncpy(header.type, (char *)data, sizeof(header.type)-1); if (v) { printf(" header: "); @@ -191,12 +195,12 @@ int openfiasco(const char *name, const char *piece_grep, int v) printf(": (not printing)\n"); } if (buf[8] == '1') { - strcpy(header.version, (char *)pdata); + strncpy(header.version, (char *)pdata, sizeof(header.version)-1); } else if (buf[8] == '2' && pdata == data) { - strcpy(header.device, (char *)pdata); + strncpy(header.device, (char *)pdata, sizeof(header.device)-1); } else if (buf[8] == '2' && pdata != data) { if (header.hwrevs[0] == 0) - strcpy(header.hwrevs, buf2); + strncpy(header.hwrevs, buf2, sizeof(header.hwrevs)-1); else { strcat(header.hwrevs, ","); strcat(header.hwrevs, buf2); @@ -220,6 +224,11 @@ int openfiasco(const char *name, const char *piece_grep, int v) if (read(header.fd, buf+8, 1)<1) return close(header.fd); } + header.name = malloc(strlen(header.type)+strlen(header.device)+strlen(header.hwrevs)+strlen(header.version)+4); + if (!header.name) { + printf("malloc error\n"); + exit(1); + } strcpy(header.name, header.type); if (header.device[0]) { strcat(header.name, "-"); @@ -253,6 +262,7 @@ int openfiasco(const char *name, const char *piece_grep, int v) free(header.layout); header.layout = NULL; } + free(header.name); free(header.data); continue; } else { @@ -266,6 +276,7 @@ int openfiasco(const char *name, const char *piece_grep, int v) free(header.layout); header.layout = NULL; } + free(header.name); } return close(header.fd); } @@ -103,7 +103,6 @@ enum { struct header_t { int fd; char fwname[128]; - char name[128]; char type[128]; char device[16]; char hwrevs[128]; @@ -111,6 +110,7 @@ struct header_t { unsigned short hash; unsigned int size; unsigned char *data; + char *name; char *layout; }; |