From f4a49078c8f367ac7b5367119f98865885144f21 Mon Sep 17 00:00:00 2001 From: Thomas Schmitt Date: Mon, 14 Jul 2014 18:02:14 +0000 Subject: [PATCH] Fixed a wrong read access to memory. Reported by valgrind of lian jianfei, --- cdrskin/cdrskin_timestamp.h | 2 +- libburn/drive.c | 29 +++++++++++++---------------- 2 files changed, 14 insertions(+), 17 deletions(-) diff --git a/cdrskin/cdrskin_timestamp.h b/cdrskin/cdrskin_timestamp.h index 565e935..653d492 100644 --- a/cdrskin/cdrskin_timestamp.h +++ b/cdrskin/cdrskin_timestamp.h @@ -1 +1 @@ -#define Cdrskin_timestamP "2014.06.28.062807" +#define Cdrskin_timestamP "2014.07.14.180122" diff --git a/libburn/drive.c b/libburn/drive.c index 48b1cb1..16281ef 100644 --- a/libburn/drive.c +++ b/libburn/drive.c @@ -1197,24 +1197,21 @@ void burn_drive_cancel(struct burn_drive *d) } -static void strip_spaces(char *str) +static void strip_spaces(char *str, size_t len) { - char *tmp; + char *tmp, *tmp2; - tmp = str + strlen(str) - 1; - while (isspace(*tmp)) - *(tmp--) = '\0'; - - tmp = str; - while (*tmp) { + /* Remove trailing blanks */ + for (tmp = str + len - 1; tmp >= str && (isspace(*tmp) || !*tmp); tmp--) + *tmp = 0; + /* Condense remaining blank intervals to single blanks */ + for (tmp = str; tmp < str + len - 1 && *tmp; tmp++) { if (isspace(*tmp) && isspace(*(tmp + 1))) { - char *tmp2; - - for (tmp2 = tmp + 1; *tmp2; ++tmp2) + for (tmp2 = tmp + 1; tmp2 < str + len && *tmp2; tmp2++) *(tmp2 - 1) = *tmp2; *(tmp2 - 1) = '\0'; - } else - ++tmp; + tmp--; /* try same first blank again */ + } } } @@ -1236,11 +1233,11 @@ static int drive_getcaps(struct burn_drive *d, struct burn_drive_info *out) id = (struct burn_scsi_inquiry_data *)d->idata; memcpy(out->vendor, id->vendor, sizeof(id->vendor)); - strip_spaces(out->vendor); + strip_spaces(out->vendor, sizeof(id->vendor)); memcpy(out->product, id->product, sizeof(id->product)); - strip_spaces(out->product); + strip_spaces(out->product, sizeof(id->product)); memcpy(out->revision, id->revision, sizeof(id->revision)); - strip_spaces(out->revision); + strip_spaces(out->revision, sizeof(id->revision)); strncpy(out->location, d->devname, 16); out->location[16] = '\0';