diff options
author | Pali Rohár <pali.rohar@gmail.com> | 2012-06-23 15:01:10 +0200 |
---|---|---|
committer | Pali Rohár <pali.rohar@gmail.com> | 2012-06-23 15:01:10 +0200 |
commit | 5da30a5bc573fac6495a2364fafebfa70d1ae851 (patch) | |
tree | 58af49b0be9b47250150f0a40adc80a07ac4f6d1 /src/fiasco.c | |
parent | 8fdba437af4fb14960e87724b2164ff28dc5da55 (diff) | |
download | 0xFFFF-5da30a5bc573fac6495a2364fafebfa70d1ae851.tar.bz2 |
Fix memory problems when unpacking fiasco images
Diffstat (limited to 'src/fiasco.c')
-rw-r--r-- | src/fiasco.c | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/src/fiasco.c b/src/fiasco.c index dd2c938..3f89da0 100644 --- a/src/fiasco.c +++ b/src/fiasco.c @@ -85,7 +85,10 @@ int openfiasco(const char *name, const char *piece_grep, int v) if (pdata[0] == 0xe8) { if (v) printf("Header: %s\n", pdata+2); } else if (pdata[0] == 0x31) { - strncpy(header.fwname, (char *)pdata+2, (int)pdata[1]); + i = pdata[1]; + if (i >= sizeof(header.fwname)) i = sizeof(header.fwname)-1; + memset(header.fwname, 0, sizeof(header.fwname)); + strncpy(header.fwname, (char *)pdata+2, i); if (v) printf("Name: %s\n", header.fwname); } else { if (v) printf("Unknown header 0x%x, length %d, data %s\n", pdata[0], pdata[1], pdata+2); @@ -123,7 +126,8 @@ int openfiasco(const char *name, const char *piece_grep, int v) printf(" [eof]\n"); break; } else if (v) printf(" %s\n", data); - strcpy(header.type, (char *)data); + memset(header.type, 0, sizeof(header.type)); + strncpy(header.type, (char *)data, sizeof(header.type)-1); if (v) { printf(" header: "); @@ -191,12 +195,12 @@ int openfiasco(const char *name, const char *piece_grep, int v) printf(": (not printing)\n"); } if (buf[8] == '1') { - strcpy(header.version, (char *)pdata); + strncpy(header.version, (char *)pdata, sizeof(header.version)-1); } else if (buf[8] == '2' && pdata == data) { - strcpy(header.device, (char *)pdata); + strncpy(header.device, (char *)pdata, sizeof(header.device)-1); } else if (buf[8] == '2' && pdata != data) { if (header.hwrevs[0] == 0) - strcpy(header.hwrevs, buf2); + strncpy(header.hwrevs, buf2, sizeof(header.hwrevs)-1); else { strcat(header.hwrevs, ","); strcat(header.hwrevs, buf2); @@ -220,6 +224,11 @@ int openfiasco(const char *name, const char *piece_grep, int v) if (read(header.fd, buf+8, 1)<1) return close(header.fd); } + header.name = malloc(strlen(header.type)+strlen(header.device)+strlen(header.hwrevs)+strlen(header.version)+4); + if (!header.name) { + printf("malloc error\n"); + exit(1); + } strcpy(header.name, header.type); if (header.device[0]) { strcat(header.name, "-"); @@ -253,6 +262,7 @@ int openfiasco(const char *name, const char *piece_grep, int v) free(header.layout); header.layout = NULL; } + free(header.name); free(header.data); continue; } else { @@ -266,6 +276,7 @@ int openfiasco(const char *name, const char *piece_grep, int v) free(header.layout); header.layout = NULL; } + free(header.name); } return close(header.fd); } |