Browse code
11874 - fixing OOB read in cabd
Mickey Sola authored on 2017/07/21 01:10:38Showing 1 changed files
| ... | ... |
@@ -521,11 +521,15 @@ static char *cabd_read_string(struct mspack_system *sys, |
| 521 | 521 |
{
|
| 522 | 522 |
off_t base = sys->tell(fh); |
| 523 | 523 |
char buf[256], *str; |
| 524 |
- unsigned int len, i, ok; |
|
| 524 |
+ unsigned int i, ok; |
|
| 525 |
+ ssize_t len; |
|
| 525 | 526 |
|
| 526 | 527 |
/* read up to 256 bytes */ |
| 527 |
- len = sys->read(fh, &buf[0], 256); |
|
| 528 |
- |
|
| 528 |
+ if ( !(len = sys->read(fh, &buf[0], 256) > 0)) {
|
|
| 529 |
+ *error = MSPACK_ERR_READ; |
|
| 530 |
+ return NULL; |
|
| 531 |
+ } |
|
| 532 |
+ |
|
| 529 | 533 |
/* search for a null terminator in the buffer. reject empty strings */ |
| 530 | 534 |
for (i = 1, ok = 0; i < len; i++) if (!buf[i]) { ok = 1; break; }
|
| 531 | 535 |
if (!ok) {
|