Skip to content

Commit a550c3e

Browse files
IlanTruanovskyIlanTruanovsky
committed
Fix Coverity issue OVERRUN
lib/pkg_editor/src/pkg_editor.c:1411:9: Type: Out-of-bounds read (OVERRUN) lib/pkg_editor/src/pkg_editor.c:1323:3: 1. path: Condition "!append_data(&info, 20UL /* sizeof (info) */, z_info, of, 0)", taking false branch. lib/pkg_editor/src/pkg_editor.c:1330:3: 2. path: Condition "!append_data(dir_name, name_length, z_info, of, 0)", taking false branch. lib/pkg_editor/src/pkg_editor.c:1385:5: 3. path: Condition "8192UL /* 2 * 4096 */ < name_length", taking false branch. lib/pkg_editor/src/pkg_editor.c:1385:5: 4. cond_at_most: Checking "8192UL < name_length" implies that "info.name_length" and "name_length" may be up to 8192 on the false branch. lib/pkg_editor/src/pkg_editor.c:1398:5: 5. path: Condition "dir == NULL", taking false branch. lib/pkg_editor/src/pkg_editor.c:1404:5: 6. path: Condition "entry", taking true branch. lib/pkg_editor/src/pkg_editor.c:1406:7: 7. path: Condition "strcmp(entry->d_name, ".") != 0", taking true branch. lib/pkg_editor/src/pkg_editor.c:1406:7: 8. path: Condition "strcmp(entry->d_name, "..") != 0", taking true branch. lib/pkg_editor/src/pkg_editor.c:1411:9: 9. overrun-local: Overrunning array of 8192 bytes at byte offset 8192 by dereferencing pointer "full_name + name_length". [Note: The source code implementation of the function has been overridden by a builtin model.] lib/pkg_editor/src/pkg_editor.c:1641:5: Type: Out-of-bounds read (OVERRUN) lib/pkg_editor/src/pkg_editor.c:1584:3: 1. path: Condition "buffer != NULL", taking true branch. lib/pkg_editor/src/pkg_editor.c:1585:5: 2. path: Condition "input == NULL", taking true branch. lib/pkg_editor/src/pkg_editor.c:1585:5: 3. path: Falling through to end of if statement. lib/pkg_editor/src/pkg_editor.c:1588:3: 4. path: Falling through to end of if statement. lib/pkg_editor/src/pkg_editor.c:1594:3: 5. path: Condition "ret != 0", taking false branch. lib/pkg_editor/src/pkg_editor.c:1610:3: 6. path: Condition "z_info.strm.avail_in > 0", taking true branch. lib/pkg_editor/src/pkg_editor.c:1612:5: 7. path: Condition "!read_data(&info, 20UL /* sizeof (info) */, &z_info, input)", taking false branch. lib/pkg_editor/src/pkg_editor.c:1617:5: 8. path: Condition "info.magic != 3203399403U", taking false branch. lib/pkg_editor/src/pkg_editor.c:1625:5: 9. path: Condition "info.kind == PACK_END", taking false branch. lib/pkg_editor/src/pkg_editor.c:1630:5: 10. path: Condition "!read_data(name, info.name_length, &z_info, input)", taking false branch. lib/pkg_editor/src/pkg_editor.c:1638:5: 11. path: Condition "12288UL /* 3 * 4096 */ < out_dir_length", taking true branch. lib/pkg_editor/src/pkg_editor.c:1638:5: 12. cond_at_least: Checking "12288UL < out_dir_length" implies that "out_dir_length" is at least 12289 on the true branch. lib/pkg_editor/src/pkg_editor.c:1641:5: 13. overrun-local: Overrunning array of 12288 bytes at byte offset 12290 by dereferencing pointer "full_name + out_dir_length + 1". [Note: The source code implementation of the function has been overridden by a builtin model.]
1 parent 8085c99 commit a550c3e

File tree

1 file changed

+6
-5
lines changed

1 file changed

+6
-5
lines changed

lib/pkg_editor/src/pkg_editor.c

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1344,7 +1344,7 @@ static acl_pack_kind add_directory(const char *out_file, FILE *of,
13441344
#ifdef _WIN32
13451345
#define FULL_NAME_LENGTH (2 * MAX_PATH)
13461346
char full_name[FULL_NAME_LENGTH];
1347-
if (FULL_NAME_LENGTH < name_length) {
1347+
if (FULL_NAME_LENGTH <= name_length) {
13481348
fprintf(stderr, "acl_pkg_pack: Failed to write to %s: %s\n", out_file,
13491349
"Directory name too long");
13501350
return PACK_END;
@@ -1388,7 +1388,7 @@ static acl_pack_kind add_directory(const char *out_file, FILE *of,
13881388
struct dirent *entry;
13891389
#define FULL_NAME_LENGTH (2 * PATH_MAX)
13901390
char full_name[FULL_NAME_LENGTH];
1391-
if (FULL_NAME_LENGTH < name_length) {
1391+
if (FULL_NAME_LENGTH <= name_length) {
13921392
fprintf(stderr, "acl_pkg_pack: Failed to write to %s: %s\n", out_file,
13931393
"Directory name too long");
13941394
return PACK_END;
@@ -1641,11 +1641,12 @@ static int acl_pkg_unpack_buffer_or_file(const char *buffer, size_t buffer_size,
16411641
}
16421642

16431643
// Generate the full name, truncate or zero pad to avoid buffer overflow
1644-
if (FULL_NAME_LEN < out_dir_length) {
1644+
if (FULL_NAME_LEN <= out_dir_length + 1) {
16451645
fprintf(stderr, "%s: Directory name too long\n", routine_name);
1646+
} else {
1647+
strncpy(full_name + out_dir_length + 1, name,
1648+
FULL_NAME_LEN - out_dir_length - 1);
16461649
}
1647-
strncpy(full_name + out_dir_length + 1, name,
1648-
FULL_NAME_LEN - out_dir_length - 1);
16491650
if (full_name[FULL_NAME_LEN - 1] != '\0') {
16501651
full_name[FULL_NAME_LEN - 1] = '\0';
16511652
}

0 commit comments

Comments
 (0)