From a6ef73359c0e0537ebf83795ebacbbfaee2c9c28 Mon Sep 17 00:00:00 2001
From: pancake <pancake@flubox>
Date: Fri, 19 Dec 2008 19:39:27 +0100
Subject: * Apply security patches from Erik Hovland - Thanks!

---
 config.mk             |  5 ++++-
 logotool/compress.c   |  1 +
 logotool/rgb2yuv.c    |  2 ++
 logotool/uncompress.c |  1 +
 src/dump.c            |  8 ++++----
 src/fiasco.c          |  2 +-
 src/fpid.c            |  7 ++++++-
 src/hash.c            |  4 +++-
 src/qmode.c           | 49 ++++++++++++++++++++++---------------------------
 src/squeue/squeue.c   |  7 ++++++-
 10 files changed, 50 insertions(+), 36 deletions(-)

diff --git a/config.mk b/config.mk
index 851d9f3..cb82aaa 100644
--- a/config.mk
+++ b/config.mk
@@ -1,10 +1,13 @@
 VERSION=0.4.0
 PREFIX=/usr
 
-
 # NetBSD stuff
 CFLAGS+=-I/usr/pkg/include -O2
 LDFLAGS+=-L/usr/pkg/lib -Wl,-R/usr/pkg/lib
 
 HAVE_USB=1
 HAVE_GUI=1
+
+# For linking against this copy of libusb
+#CFLAGS+=-I../libusb
+
diff --git a/logotool/compress.c b/logotool/compress.c
index c65158c..cb32265 100644
--- a/logotool/compress.c
+++ b/logotool/compress.c
@@ -60,6 +60,7 @@ int compress_image(char *srcf, char *dstf, int w, int h)
 	fdout  = open( dstf, O_TRUNC | O_CREAT | O_WRONLY , 0660 );
 	if (fdout == -1) {
 		printf("Cannot open file '%s' for writing\n", dstf);
+		fclose(fd);
 		return 1;
 	}
 
diff --git a/logotool/rgb2yuv.c b/logotool/rgb2yuv.c
index b3f2143..4c3a268 100644
--- a/logotool/rgb2yuv.c
+++ b/logotool/rgb2yuv.c
@@ -107,5 +107,7 @@ int rgb2yuv(char *from, char *to, int width, int height)
 	for ( i = 0 ; i < height ; i+=2 )
 		for ( j = 0; j < width ; j +=2 )
 			write ( fout,&dstV[j+(i*width)], 1);
+
+	free(dstV); free(dstU); free(dstY); free(src);
 	return 1;
 }	
diff --git a/logotool/uncompress.c b/logotool/uncompress.c
index 4d0599f..b3e19dd 100644
--- a/logotool/uncompress.c
+++ b/logotool/uncompress.c
@@ -119,5 +119,6 @@ int uncompress_image(char *srcf, char *dstf)
 	//printf("logotool -w %d -h %d -v %s\n", width, height, dstf);
 	printf("eval PATH=$PWD:$PATH logotool -w %d -h %d -m %s\n", width, height, dstf);
 
+	free(dst); free(src);
 	return 0;
 }
diff --git a/src/dump.c b/src/dump.c
index e102ce9..3f15fce 100644
--- a/src/dump.c
+++ b/src/dump.c
@@ -69,17 +69,14 @@ __rf_extract_exit:
  * This function was covardly copied from nanddump.c @ mtd-utils-20060907
  */
 #define _GNU_SOURCE
-#include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 #include <unistd.h>
 #include <getopt.h>
 #include <sys/ioctl.h>
 #include <sys/types.h>
-#include <sys/stat.h>
 //#include <asm/types.h>
 #include <mtd/mtd-user.h>
 #ifndef loff_t
@@ -171,6 +168,9 @@ int check_badblocks(char *mtddev)
 		return 1;
 	}
 
+	memset(&stat1, 0, sizeof(stat1));
+	memset(&stat2, 0, sizeof(stat2));
+
         fprintf(stderr, "Block size %u, page size %u, OOB size %u\n",
                 meminfo.erasesize, meminfo.writesize, meminfo.oobsize);
         fprintf(stderr, "Size %u, flags %u, type 0x%x\n",
@@ -498,7 +498,7 @@ int dump_config()
 			break;
 		if (!memcmp(buf,"ConF", 4)) {
 		loop:
-			read(fd, buf, 4);
+			ret = read(fd, buf, 4);
 			if (ret == -1) break;
 			printf("\n0x%08x : ConF %02x %02x %02x %02x : ", i,
 				buf[0], buf[1], buf[2], buf[3]);
diff --git a/src/fiasco.c b/src/fiasco.c
index 3e9da9f..cb27b10 100644
--- a/src/fiasco.c
+++ b/src/fiasco.c
@@ -62,7 +62,7 @@ int openfiasco(char *name, char *piece_grep, int v)
 	read(header.fd, buf, namelen);
 
 	if (v) printf("Fiasco version: %2d\n", buf[3]);
-	strcpy(header.fwname, (char *)buf+6);
+	strncpy(header.fwname, (char *)buf+6, sizeof(header.fwname) - 1);
 	if (v)
 	for(i=6;i<namelen;i+=strlen((char *)(buf+i))+1)
 		printf("Name: %s\n", buf+i);
diff --git a/src/fpid.c b/src/fpid.c
index f36b758..7387855 100644
--- a/src/fpid.c
+++ b/src/fpid.c
@@ -37,7 +37,12 @@ long fpid_size(const char *filename)
 {
 	long sz;
 	FILE *fd = fopen(filename, "r");
-	fseek(fd, 0, SEEK_END);
+	if (fd == NULL)
+		return -1;
+	if (fseek(fd, 0, SEEK_END) != 0) {
+		fclose(fd);
+		return -1;
+	}
 	sz = ftell(fd);
 	fclose(fd);
 	return sz;
diff --git a/src/hash.c b/src/hash.c
index 77b4159..d4ad607 100644
--- a/src/hash.c
+++ b/src/hash.c
@@ -40,8 +40,10 @@ usho do_hash_file(const char *filename)
 	}
 
 	do {	ret   = fread(&buf, 1, BSIZE, fd);
-		if (ret == -1)
+		if (ret == -1) {
+			fclose(fd);
 			return 0;
+		}
 		hash ^= do_hash((usho *)&buf, ret);
 	} while(ret);
 
diff --git a/src/qmode.c b/src/qmode.c
index d8c22db..cf52866 100644
--- a/src/qmode.c
+++ b/src/qmode.c
@@ -43,38 +43,33 @@ void process_message(char *msg)
 {
 	char *str;
 	char *arg;
-	int c=1;
 	if (msg == NULL)
 		return;
 	printf("[x] (%s)\n", msg);
 	str = strdup(msg);
 	arg = strchr(str, ':');
-	if (c!=0) {
-		arg[0]='\0';
-		arg = arg +1;
-		if (!strcmp(str, "flash")) {
-			const char *type = fpid_file(arg);
-			if (type == NULL) {
-				squeue_push2(p, "error", "Unknown piece format", 1);
-			} else flash_image(arg, type, NULL);
-		} else
-		if (!strcmp(str, "reset")) {
-			if (reboot_board() == 0) {
-				squeue_push2(p,"info", "Device reboots", 1);
-			} else squeue_push2(p,"error", "Cannot reboot device", 1);
-		} else
-		if (!strcmp(str, "info")) {
-			get_rd_flags();
-			squeue_push2(p, "info", strbuf, 1);
-			get_nolo_version();
-			squeue_push2(p, "info", strbuf, 1);
-			get_usb_mode();
-			squeue_push2(p, "info", strbuf, 1);
-		} else
-			squeue_push2(p, "error", "invalid command", 0);
-	} else {
-		squeue_push2(p, "error", "invalid command format", 0);
-	}
+	arg[0]='\0';
+	arg = arg +1;
+	if (!strcmp(str, "flash")) {
+		const char *type = fpid_file(arg);
+		if (type == NULL) {
+			squeue_push2(p, "error", "Unknown piece format", 1);
+		} else flash_image(arg, type, NULL);
+	} else
+	if (!strcmp(str, "reset")) {
+		if (reboot_board() == 0) {
+			squeue_push2(p,"info", "Device reboots", 1);
+		} else squeue_push2(p,"error", "Cannot reboot device", 1);
+	} else
+	if (!strcmp(str, "info")) {
+		get_rd_flags();
+		squeue_push2(p, "info", strbuf, 1);
+		get_nolo_version();
+		squeue_push2(p, "info", strbuf, 1);
+		get_usb_mode();
+		squeue_push2(p, "info", strbuf, 1);
+	} else
+		squeue_push2(p, "error", "invalid command", 0);
 	free(str);
 }
 
diff --git a/src/squeue/squeue.c b/src/squeue/squeue.c
index 96f2b59..89fc7f5 100644
--- a/src/squeue/squeue.c
+++ b/src/squeue/squeue.c
@@ -40,13 +40,18 @@ struct squeue_t *squeue_open(const char *file, int mode)
 	struct squeue_t *q;
 	char *pool;
 	int shmid;
+	int fd;
 	key_t k;
 
 	k = ftok(file, 0x34);
 	if (k == -1) {
 		perror("ftok");
 		squeue_release(file);
-		close(creat(file, 0666));
+		if ((fd = creat(file, 0666)) == -1) {
+			perror("creat");
+			return NULL;
+		}
+		close(fd);
 		chmod(file, 0666);
 		k = ftok(file, 0xa3);
 		if (k == -1) {
-- 
cgit v1.2.3