Re: [Ming-dev] [patch] Fix a buffer overflow.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Sat, 3 May 2014, Sandro Santilli wrote:

> Dunno why the patch doesn't apply cleanly, ideas ?

None, I'm afraid.

> Any reason for not using strdup rather than malloc && strcpy ?

Only that I forgot about its existence. :)

> Would you mind changing add_import_spec signature to take const char * ?

No.

--

Fix a buffer overflow.

1) Allocate sufficient memory to hold each contained pointer.
2) Copy each import path into a new buffer, because each path is
    pointing to optarg, which cannot be assumed to be valid after
    a new call to getopt().

The allocated memory is never freed, but that doesn't seem to be a big
issue in this program.

diff --git a/util/makeswf.c b/util/makeswf.c
index 4fdc826..4c6726f 100644
--- a/util/makeswf.c
+++ b/util/makeswf.c
@@ -82,7 +82,7 @@
  #define MAXERRORMSG 1024

  /* prototypes */
-static void add_import_spec(char *spec);
+static void add_import_spec(const char *spec);
  static void add_init_action(char *file, int frameno);
  static void add_init_action_spec(char *spec);
  static void compile_init_actions(int frameno, int debug);
@@ -441,18 +441,19 @@ main (int argc, char **argv)


  static void
-add_import_spec(char *spec)
+add_import_spec(const char *spec)
  {
+	size_t bytes_per_ptr = sizeof(char**);
  	if ( numimport_specs == 0 )
  	{
-		import_specs = (char **)malloc(1);
+		import_specs = (char **)malloc(1 * bytes_per_ptr);
  	}
  	else
  	{
  		import_specs = (char **)realloc(import_specs,
-				numimport_specs+1);
+				(numimport_specs+1) * bytes_per_ptr);
  	}
-	import_specs[numimport_specs] = spec;
+	import_specs[numimport_specs] = strdup(spec);
  	numimport_specs++;
  }



