1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 3 Jan 2021 02:06:39 -0800
Subject: Fix some non-exploitable buffer overflows in mkbootmsg (LP: #27011).
---
gfxboot-compile.c | 32 ++++++++++++++++++++------------
1 file changed, 20 insertions(+), 12 deletions(-)
diff --git a/gfxboot-compile.c b/gfxboot-compile.c
index dd882e8..835450e 100644
--- a/gfxboot-compile.c
+++ b/gfxboot-compile.c
@@ -1763,7 +1763,7 @@ void log_cline(FILE *lf)
}
-char *add_to_line(char *s)
+char *add_to_line(const char *s)
{
static char buf[10240] = {};
static int ind = 0;
@@ -1812,7 +1812,7 @@ void decompile(unsigned char *data, unsigned size)
unsigned inst_size;
dict_t *d;
unsigned type;
- char *s, buf[1024];
+ char *s, *buf;
unsigned char *p;
// setup initial vocabulary
@@ -1889,13 +1889,15 @@ void decompile(unsigned char *data, unsigned size)
}
case t_unsigned:
- sprintf(buf, "%d", val);
+ asprintf(&buf, "%d", val);
add_to_line(buf);
+ free(buf);
break;
case t_string:
+ buf = malloc(strlen((char *) data + i + u + 1) * 4 + 3);
buf[0] = '"';
- for(j = 1, p = data + i + u + 1; *p && j < sizeof buf - 10; p++) {
+ for(j = 1, p = data + i + u + 1; *p; p++) {
if(*p == '\n') {
buf[j++] = '\\';
buf[j++] = 'n';
@@ -1917,16 +1919,18 @@ void decompile(unsigned char *data, unsigned size)
buf[j++] = '"';
buf[j] = 0;
s = add_to_line(buf);
+ free(buf);
break;
case t_sec:
if(val < dict_size && dict[val].name) {
- sprintf(buf, "%s", dict[val].name);
+ asprintf(&buf, "%s", dict[val].name);
}
else {
- sprintf(buf, "name_%d", val);
+ asprintf(&buf, "name_%d", val);
}
s = add_to_line(buf);
+ free(buf);
printf("%s\n", s);
add_to_line("");
break;
@@ -1939,38 +1943,42 @@ void decompile(unsigned char *data, unsigned size)
}
}
if(s) {
- sprintf(buf, "%s", s);
+ asprintf(&buf, "%s", s);
}
else {
- sprintf(buf, "prim_<%d>", val);
+ asprintf(&buf, "prim_<%d>", val);
}
s = add_to_line(buf);
+ free(buf);
printf("%s\n", s);
add_to_line("");
break;
case t_bool:
- sprintf(buf, "%s", val ? "true" : "false");
+ asprintf(&buf, "%s", val ? "true" : "false");
s = add_to_line(buf);
+ free(buf);
printf("%s\n", s);
add_to_line("");
break;
case t_none:
- sprintf(buf, ".undef");
+ asprintf(&buf, ".undef");
s = add_to_line(buf);
+ free(buf);
printf("%s\n", s);
add_to_line("");
break;
case t_dict_idx:
if(val < dict_size && dict[val].name) {
- sprintf(buf, "/%s", dict[val].name);
+ asprintf(&buf, "/%s", dict[val].name);
}
else {
- sprintf(buf, "/name_%d", val);
+ asprintf(&buf, "/name_%d", val);
}
add_to_line(buf);
+ free(buf);
break;
default:
|