Corrected memory management flaws found by Joris Dobbelsteen

ZeroFourZero
Thomas Schmitt 15 years ago
parent 5f66cf5d2f
commit 16a5bbacb4
  1. 2
      cdrskin/cdrskin_timestamp.h
  2. 28
      libburn/file.c
  3. 19
      libburn/libburn.h
  4. 11
      libburn/mmc.c
  5. 6
      libburn/source.c
  6. 6
      libburn/structure.c

@ -1 +1 @@
#define Cdrskin_timestamP "2007.08.22.173459"
#define Cdrskin_timestamP "2007.08.25.085709"

@ -100,7 +100,7 @@ struct burn_source *burn_file_source_new(const char *path, const char *subpath)
fd1 = open(path, O_RDONLY);
if (fd1 == -1)
return NULL;
if (subpath) {
if (subpath != NULL) {
fd2 = open(subpath, O_RDONLY);
if (fd2 == -1) {
close(fd1);
@ -108,6 +108,16 @@ struct burn_source *burn_file_source_new(const char *path, const char *subpath)
}
}
fs = malloc(sizeof(struct burn_source_file));
/* ts A70825 */
if (fs == NULL) {
failure:;
close(fd1);
if (subpath != NULL)
close(fd2);
return NULL;
}
fs->datafd = fd1;
if (subpath)
@ -117,6 +127,13 @@ struct burn_source *burn_file_source_new(const char *path, const char *subpath)
fs->fixed_size = 0;
src = burn_source_new();
/* ts A70825 */
if (src == NULL) {
free((char *) fs);
goto failure;
}
src->read = file_read;
if (subpath)
src->read_sub = file_read_sub;
@ -139,11 +156,20 @@ struct burn_source *burn_fd_source_new(int datafd, int subfd, off_t size)
if (datafd == -1)
return NULL;
fs = malloc(sizeof(struct burn_source_file));
if (fs == NULL) /* ts A70825 */
return NULL;
fs->datafd = datafd;
fs->subfd = subfd;
fs->fixed_size = size;
src = burn_source_new();
/* ts A70825 */
if (src == NULL) {
free((char *) fs);
return NULL;
}
src->read = file_read;
if(subfd != -1)
src->read = file_read_sub;

@ -1127,7 +1127,9 @@ int burn_msf_to_lba(int m, int s, int f);
*/
void burn_lba_to_msf(int lba, int *m, int *s, int *f);
/** Create a new disc */
/** Create a new disc
@return Pointer to a burn_disc object or NULL on failure.
*/
struct burn_disc *burn_disc_create(void);
/** Delete disc and decrease the reference count on all its sessions
@ -1135,7 +1137,9 @@ struct burn_disc *burn_disc_create(void);
*/
void burn_disc_free(struct burn_disc *d);
/** Create a new session */
/** Create a new session
@return Pointer to a burn_session object or NULL on failure.
*/
struct burn_session *burn_session_create(void);
/** Free a session (and decrease reference count on all tracks inside)
@ -1264,7 +1268,12 @@ int burn_track_set_default_size(struct burn_track *t, off_t size);
*/
void burn_source_free(struct burn_source *s);
/** Creates a data source for an image file (and maybe subcode file) */
/** Creates a data source for an image file (and maybe subcode file)
@param path The file address for the main channel payload.
@param subpath Eventual address for subchannel data. Only used in exotic
raw write modes. Submit NULL for normal tasks.
@return Pointer to a burn_source object, NULL indicates failure
*/
struct burn_source *burn_file_source_new(const char *path,
const char *subpath);
@ -1272,9 +1281,11 @@ struct burn_source *burn_file_source_new(const char *path,
readable filedescriptor, an eventually open readable subcodes file
descriptor and eventually a fixed size in bytes.
@param datafd The source of data.
@param subfd The eventual source for subcodes. Not used if -1.
@param subfd The eventual source of subchannel data. Only used in exotic
raw write modes. Submit -1 for normal tasks.
@param size The eventual fixed size of eventually both fds.
If this value is 0, the size will be determined from datafd.
@return Pointer to a burn_source object, NULL indicates failure
*/
struct burn_source *burn_fd_source_new(int datafd, int subfd, off_t size);

@ -960,8 +960,9 @@ static int mmc_read_toc_al(struct burn_drive *d, int *alloc_len)
d->toc_entries = 0;
/* Prefering memory leaks over fandangos */
d->toc_entry = malloc(sizeof(struct burn_toc_entry));
memset(&(d->toc_entry[0]), 0, sizeof(struct burn_toc_entry));
if (d->toc_entry != NULL) /* ts A70825 */
memset(&(d->toc_entry[0]), 0,
sizeof(struct burn_toc_entry));
return 0;
}
@ -982,6 +983,8 @@ static int mmc_read_toc_al(struct burn_drive *d, int *alloc_len)
a ssert(((dlen - 2) % 11) == 0);
*/
d->toc_entry = malloc(d->toc_entries * sizeof(struct burn_toc_entry));
if(d->toc_entry == NULL) /* ts A70825 */
return 0;
for (i = 0; i < d->toc_entries; i++)
memset(&(d->toc_entry[i]), 0, sizeof(struct burn_toc_entry));
tdata = c.page->data + 4;
@ -989,9 +992,13 @@ static int mmc_read_toc_al(struct burn_drive *d, int *alloc_len)
burn_print(12, "TOC:\n");
d->disc = burn_disc_create();
if (d->disc == NULL) /* ts A70825 */
return 0;
for (i = 0; i < c.page->data[3]; i++) {
session = burn_session_create();
if (session == NULL) /* ts A70825 */
return 0;
burn_disc_add_session(d->disc, session, BURN_POS_END);
burn_session_free(session);
}

@ -34,6 +34,12 @@ struct burn_source *burn_source_new(void)
struct burn_source *out;
out = calloc(1, sizeof(struct burn_source));
/* ts A70825 */
if (out == NULL)
return NULL;
memset((char *) out, 0, sizeof(struct burn_source));
out->refcount = 1;
return out;
}

@ -40,6 +40,8 @@ struct burn_disc *burn_disc_create(void)
{
struct burn_disc *d;
d = calloc(1, sizeof(struct burn_disc));
if (d == NULL) /* ts A70825 */
return NULL;
d->refcnt = 1;
d->sessions = 0;
d->session = NULL;
@ -64,6 +66,8 @@ struct burn_session *burn_session_create(void)
{
struct burn_session *s;
s = calloc(1, sizeof(struct burn_session));
if (s == NULL) /* ts A70825 */
return NULL;
s->refcnt = 1;
s->tracks = 0;
s->track = NULL;
@ -104,6 +108,8 @@ struct burn_track *burn_track_create(void)
{
struct burn_track *t;
t = calloc(1, sizeof(struct burn_track));
if (t == NULL) /* ts A70825 */
return NULL;
t->refcnt = 1;
t->indices = 0;
t->offset = 0;

Loading…
Cancel
Save