fix possible copy of null buffer and validation of unitialized header
authorPetr Štetiar <ynezz@true.cz>
Tue, 22 Oct 2019 12:05:39 +0000 (14:05 +0200)
committerPetr Štetiar <ynezz@true.cz>
Sat, 9 Nov 2019 13:28:09 +0000 (14:28 +0100)
scan-build from clang version 9 has reported following issues:

 fwtool.c:257:2: warning: Null pointer passed as an argument to a 'nonnull' parameter
        memcpy(dest, dbuf->cur + dbuf->cur_len - cur_len, cur_len);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 fwtool.c:275:20: warning: The left operand of '!=' is a garbage value
         if (hdr->version != 0)
             ~~~~~~~~~~~~ ^

Signed-off-by: Petr Štetiar <ynezz@true.cz>
fwtool.c

index c059331ad2317a62dd2b3ac4ab24e2dc262448d2..e925b0bf5e65ecb3d4b2d3c2e002cdbd3dbe5750 100644 (file)
--- a/fwtool.c
+++ b/fwtool.c
@@ -251,7 +251,7 @@ extract_tail(struct data_buf *dbuf, void *dest, int len)
        remove_tail(dbuf, cur_len);
 
        cur_len = len - cur_len;
-       if (cur_len && !dbuf->cur)
+       if (cur_len < 0 || !dbuf->cur)
                return 1;
 
        memcpy(dest, dbuf->cur + dbuf->cur_len - cur_len, cur_len);
@@ -327,8 +327,10 @@ extract_data(const char *name)
 
        while (1) {
 
-               if (extract_tail(&dbuf, &tr, sizeof(tr)))
+               if (extract_tail(&dbuf, &tr, sizeof(tr))) {
+                       msg("unable to extract trailer header\n");
                        break;
+               }
 
                if (tr.magic != cpu_to_be32(FWIMAGE_MAGIC)) {
                        msg("Data not found\n");
@@ -348,7 +350,10 @@ extract_data(const char *name)
                        break;
                }
 
-               extract_tail(&dbuf, buf, data_len);
+               if (extract_tail(&dbuf, buf, data_len)) {
+                       msg("unable to extract trailer data\n");
+                       break;
+               }
 
                if (tr.type == FWIMAGE_SIGNATURE) {
                        if (!signature_file)