From 3e432c0341c2eb606dcb063a5b740ebbe9171b7b Mon Sep 17 00:00:00 2001 From: Thomas Schmitt Date: Sat, 25 Aug 2007 08:58:41 +0000 Subject: [PATCH] Corrected memory management flaws found by Joris Dobbelsteen --- libburn/trunk/cdrskin/cdrskin_timestamp.h | 2 +- libburn/trunk/libburn/file.c | 28 ++++++++++++++++++++++- libburn/trunk/libburn/libburn.h | 19 +++++++++++---- libburn/trunk/libburn/mmc.c | 11 +++++++-- libburn/trunk/libburn/source.c | 6 +++++ libburn/trunk/libburn/structure.c | 6 +++++ 6 files changed, 64 insertions(+), 8 deletions(-) diff --git a/libburn/trunk/cdrskin/cdrskin_timestamp.h b/libburn/trunk/cdrskin/cdrskin_timestamp.h index 7fc2521f..2e06fb9e 100644 --- a/libburn/trunk/cdrskin/cdrskin_timestamp.h +++ b/libburn/trunk/cdrskin/cdrskin_timestamp.h @@ -1 +1 @@ -#define Cdrskin_timestamP "2007.08.22.173459" +#define Cdrskin_timestamP "2007.08.25.085709" diff --git a/libburn/trunk/libburn/file.c b/libburn/trunk/libburn/file.c index 23aef92c..2fef9a1d 100644 --- a/libburn/trunk/libburn/file.c +++ b/libburn/trunk/libburn/file.c @@ -100,7 +100,7 @@ struct burn_source *burn_file_source_new(const char *path, const char *subpath) fd1 = open(path, O_RDONLY); if (fd1 == -1) return NULL; - if (subpath) { + if (subpath != NULL) { fd2 = open(subpath, O_RDONLY); if (fd2 == -1) { close(fd1); @@ -108,6 +108,16 @@ struct burn_source *burn_file_source_new(const char *path, const char *subpath) } } fs = malloc(sizeof(struct burn_source_file)); + + /* ts A70825 */ + if (fs == NULL) { +failure:; + close(fd1); + if (subpath != NULL) + close(fd2); + return NULL; + } + fs->datafd = fd1; if (subpath) @@ -117,6 +127,13 @@ struct burn_source *burn_file_source_new(const char *path, const char *subpath) fs->fixed_size = 0; src = burn_source_new(); + + /* ts A70825 */ + if (src == NULL) { + free((char *) fs); + goto failure; + } + src->read = file_read; if (subpath) src->read_sub = file_read_sub; @@ -139,11 +156,20 @@ struct burn_source *burn_fd_source_new(int datafd, int subfd, off_t size) if (datafd == -1) return NULL; fs = malloc(sizeof(struct burn_source_file)); + if (fs == NULL) /* ts A70825 */ + return NULL; fs->datafd = datafd; fs->subfd = subfd; fs->fixed_size = size; src = burn_source_new(); + + /* ts A70825 */ + if (src == NULL) { + free((char *) fs); + return NULL; + } + src->read = file_read; if(subfd != -1) src->read = file_read_sub; diff --git a/libburn/trunk/libburn/libburn.h b/libburn/trunk/libburn/libburn.h index 726c64f8..1eb103ec 100644 --- a/libburn/trunk/libburn/libburn.h +++ b/libburn/trunk/libburn/libburn.h @@ -1127,7 +1127,9 @@ int burn_msf_to_lba(int m, int s, int f); */ void burn_lba_to_msf(int lba, int *m, int *s, int *f); -/** Create a new disc */ +/** Create a new disc + @return Pointer to a burn_disc object or NULL on failure. +*/ struct burn_disc *burn_disc_create(void); /** Delete disc and decrease the reference count on all its sessions @@ -1135,7 +1137,9 @@ struct burn_disc *burn_disc_create(void); */ void burn_disc_free(struct burn_disc *d); -/** Create a new session */ +/** Create a new session + @return Pointer to a burn_session object or NULL on failure. + */ struct burn_session *burn_session_create(void); /** Free a session (and decrease reference count on all tracks inside) @@ -1264,7 +1268,12 @@ int burn_track_set_default_size(struct burn_track *t, off_t size); */ void burn_source_free(struct burn_source *s); -/** Creates a data source for an image file (and maybe subcode file) */ +/** Creates a data source for an image file (and maybe subcode file) + @param path The file address for the main channel payload. + @param subpath Eventual address for subchannel data. Only used in exotic + raw write modes. Submit NULL for normal tasks. + @return Pointer to a burn_source object, NULL indicates failure +*/ struct burn_source *burn_file_source_new(const char *path, const char *subpath); @@ -1272,9 +1281,11 @@ struct burn_source *burn_file_source_new(const char *path, readable filedescriptor, an eventually open readable subcodes file descriptor and eventually a fixed size in bytes. @param datafd The source of data. - @param subfd The eventual source for subcodes. Not used if -1. + @param subfd The eventual source of subchannel data. Only used in exotic + raw write modes. Submit -1 for normal tasks. @param size The eventual fixed size of eventually both fds. If this value is 0, the size will be determined from datafd. + @return Pointer to a burn_source object, NULL indicates failure */ struct burn_source *burn_fd_source_new(int datafd, int subfd, off_t size); diff --git a/libburn/trunk/libburn/mmc.c b/libburn/trunk/libburn/mmc.c index 09d27525..40783e80 100644 --- a/libburn/trunk/libburn/mmc.c +++ b/libburn/trunk/libburn/mmc.c @@ -960,8 +960,9 @@ static int mmc_read_toc_al(struct burn_drive *d, int *alloc_len) d->toc_entries = 0; /* Prefering memory leaks over fandangos */ d->toc_entry = malloc(sizeof(struct burn_toc_entry)); - memset(&(d->toc_entry[0]), 0, sizeof(struct burn_toc_entry)); - + if (d->toc_entry != NULL) /* ts A70825 */ + memset(&(d->toc_entry[0]), 0, + sizeof(struct burn_toc_entry)); return 0; } @@ -982,6 +983,8 @@ static int mmc_read_toc_al(struct burn_drive *d, int *alloc_len) a ssert(((dlen - 2) % 11) == 0); */ d->toc_entry = malloc(d->toc_entries * sizeof(struct burn_toc_entry)); + if(d->toc_entry == NULL) /* ts A70825 */ + return 0; for (i = 0; i < d->toc_entries; i++) memset(&(d->toc_entry[i]), 0, sizeof(struct burn_toc_entry)); tdata = c.page->data + 4; @@ -989,9 +992,13 @@ static int mmc_read_toc_al(struct burn_drive *d, int *alloc_len) burn_print(12, "TOC:\n"); d->disc = burn_disc_create(); + if (d->disc == NULL) /* ts A70825 */ + return 0; for (i = 0; i < c.page->data[3]; i++) { session = burn_session_create(); + if (session == NULL) /* ts A70825 */ + return 0; burn_disc_add_session(d->disc, session, BURN_POS_END); burn_session_free(session); } diff --git a/libburn/trunk/libburn/source.c b/libburn/trunk/libburn/source.c index a5ec1529..b255a10e 100644 --- a/libburn/trunk/libburn/source.c +++ b/libburn/trunk/libburn/source.c @@ -34,6 +34,12 @@ struct burn_source *burn_source_new(void) struct burn_source *out; out = calloc(1, sizeof(struct burn_source)); + + /* ts A70825 */ + if (out == NULL) + return NULL; + memset((char *) out, 0, sizeof(struct burn_source)); + out->refcount = 1; return out; } diff --git a/libburn/trunk/libburn/structure.c b/libburn/trunk/libburn/structure.c index 3b901537..40897b94 100644 --- a/libburn/trunk/libburn/structure.c +++ b/libburn/trunk/libburn/structure.c @@ -40,6 +40,8 @@ struct burn_disc *burn_disc_create(void) { struct burn_disc *d; d = calloc(1, sizeof(struct burn_disc)); + if (d == NULL) /* ts A70825 */ + return NULL; d->refcnt = 1; d->sessions = 0; d->session = NULL; @@ -64,6 +66,8 @@ struct burn_session *burn_session_create(void) { struct burn_session *s; s = calloc(1, sizeof(struct burn_session)); + if (s == NULL) /* ts A70825 */ + return NULL; s->refcnt = 1; s->tracks = 0; s->track = NULL; @@ -104,6 +108,8 @@ struct burn_track *burn_track_create(void) { struct burn_track *t; t = calloc(1, sizeof(struct burn_track)); + if (t == NULL) /* ts A70825 */ + return NULL; t->refcnt = 1; t->indices = 0; t->offset = 0;