Browse Source

Prevented a possible buffer overrun with -concat. Coverity CID 28782.

master
Thomas Schmitt 6 years ago
parent
commit
410320c002
  1. 17
      xorriso/opts_a_c.c
  2. 12
      xorriso/parse_exec.c
  3. 3
      xorriso/parse_exec.h

17
xorriso/opts_a_c.c

@ -2235,6 +2235,7 @@ int Xorriso_option_concat(struct XorrisO *xorriso,
{
int ret, end_idx, optc= 0, progc= 0, iso_rr_start, prog_end_idx= -1;
char **optv= NULL, **progv= NULL, *delimiter_mem= NULL;
char *delimiter= NULL;
/* Must be done before any goto ex; */
end_idx= Xorriso_end_idx(xorriso, argc, argv, *idx, 1);
@ -2260,9 +2261,16 @@ int Xorriso_option_concat(struct XorrisO *xorriso,
ret= 0; goto ex;
}
ret= Xorriso_check_thing_len(xorriso, argv[*idx + 1],
sizeof(xorriso->list_delimiter), "-concat",
"Delimiter", 0);
if(ret <= 0)
goto ex;
Xorriso_alloc_meM(delimiter_mem, char, strlen(xorriso->list_delimiter) + 1);
Xorriso_alloc_meM(delimiter, char, strlen(argv[*idx + 1]) + 1);
strcpy(delimiter_mem, xorriso->list_delimiter);
strcpy(xorriso->list_delimiter, argv[*idx + 1]);
strcpy(delimiter, argv[*idx + 1]);
strcpy(xorriso->list_delimiter, delimiter);
ret= Xorriso_opt_args(xorriso, "-concat pipe", argc , argv, *idx + 2,
&prog_end_idx, &progc, &progv, 4 | 128);
strcpy(xorriso->list_delimiter, delimiter_mem);
@ -2288,15 +2296,16 @@ int Xorriso_option_concat(struct XorrisO *xorriso,
progc, progv, optc, optv, 0);
ex:;
if(progv != NULL) {
if(delimiter_mem != NULL)
strcpy(xorriso->list_delimiter, argv[*idx + 2]);
if(delimiter_mem != NULL && delimiter != NULL)
strcpy(xorriso->list_delimiter, delimiter);
Xorriso_opt_args(xorriso, "-concat", argc, argv, *idx + 2, &prog_end_idx,
&progc, &progv, 256);
if(delimiter_mem != NULL)
if(delimiter_mem != NULL && delimiter != NULL)
strcpy(xorriso->list_delimiter, delimiter_mem);
}
Xorriso_opt_args(xorriso, "-concat", argc, argv, iso_rr_start, &end_idx,
&optc, &optv, 256);
Xorriso_free_meM(delimiter);
Xorriso_free_meM(delimiter_mem);
*idx= end_idx;
return(ret);

12
xorriso/parse_exec.c

@ -445,12 +445,12 @@ int Xorriso_decode_load_adr(struct XorrisO *xorriso, char *cmd,
}
int Xorriso_check_name_len(struct XorrisO *xorriso, char *name, int size,
char *cmd, int flag)
int Xorriso_check_thing_len(struct XorrisO *xorriso, char *name, int size,
char *cmd, char *thing, int flag)
{
if((int) strlen(name) >= size) {
sprintf(xorriso->info_text,
"Name too long with option %s (%d > %d)", cmd,
"%s too long with option %s (%d > %d)", thing, cmd,
(int) strlen(name), size - 1);
Xorriso_msgs_submit(xorriso, 0, xorriso->info_text, 0, "SORRY", 0);
return(0);
@ -459,6 +459,12 @@ int Xorriso_check_name_len(struct XorrisO *xorriso, char *name, int size,
}
int Xorriso_check_name_len(struct XorrisO *xorriso, char *name, int size,
char *cmd, int flag)
{
return Xorriso_check_thing_len(xorriso, name, size, cmd, "Name", flag);
}
/* @return <0 error , >=0 number of skipped dashes
*/

3
xorriso/parse_exec.h

@ -55,6 +55,9 @@ int Xorriso_decode_load_adr(struct XorrisO *xorriso, char *cmd,
int *entity_code, char entity_id[81],
int flag);
int Xorriso_check_thing_len(struct XorrisO *xorriso, char *name, int size,
char *cmd, char *thing, int flag);
int Xorriso_check_name_len(struct XorrisO *xorriso, char *name, int size,
char *cmd, int flag);

Loading…
Cancel
Save