From dbc1b1b71b240ed61ea32eda610fde839d87c5f0 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Petr=20=C5=A0tetiar?= Date: Tue, 22 Oct 2019 14:05:39 +0200 Subject: [PATCH] fix possible copy of null buffer and validation of unitialized header MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit scan-build from clang version 9 has reported following issues: fwtool.c:257:2: warning: Null pointer passed as an argument to a 'nonnull' parameter memcpy(dest, dbuf->cur + dbuf->cur_len - cur_len, cur_len); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ fwtool.c:275:20: warning: The left operand of '!=' is a garbage value if (hdr->version != 0) ~~~~~~~~~~~~ ^ Signed-off-by: Petr Å tetiar --- fwtool.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/fwtool.c b/fwtool.c index c059331..e925b0b 100644 --- a/fwtool.c +++ b/fwtool.c @@ -251,7 +251,7 @@ extract_tail(struct data_buf *dbuf, void *dest, int len) remove_tail(dbuf, cur_len); cur_len = len - cur_len; - if (cur_len && !dbuf->cur) + if (cur_len < 0 || !dbuf->cur) return 1; memcpy(dest, dbuf->cur + dbuf->cur_len - cur_len, cur_len); @@ -327,8 +327,10 @@ extract_data(const char *name) while (1) { - if (extract_tail(&dbuf, &tr, sizeof(tr))) + if (extract_tail(&dbuf, &tr, sizeof(tr))) { + msg("unable to extract trailer header\n"); break; + } if (tr.magic != cpu_to_be32(FWIMAGE_MAGIC)) { msg("Data not found\n"); @@ -348,7 +350,10 @@ extract_data(const char *name) break; } - extract_tail(&dbuf, buf, data_len); + if (extract_tail(&dbuf, buf, data_len)) { + msg("unable to extract trailer data\n"); + break; + } if (tr.type == FWIMAGE_SIGNATURE) { if (!signature_file) -- 2.30.2