applied patch to fix issues found by static analyses

This commit is contained in:
Honza Horák 2011-05-30 11:53:29 +02:00
parent 0b7b92b4fa
commit 65baae721b
2 changed files with 343 additions and 1 deletions

View File

@ -0,0 +1,337 @@
diff -up libcdio-0.82/example/audio.c.staticanal libcdio-0.82/example/audio.c
--- libcdio-0.82/example/audio.c.staticanal 2008-11-29 05:52:43.000000000 +0100
+++ libcdio-0.82/example/audio.c 2011-05-30 10:52:10.426487951 +0200
@@ -340,6 +340,7 @@ main(int argc, char *argv[])
i_volume_level = atoi(optarg);
todo = SET_VOLUME;
}
+ break;
case 't':
if (NULL != (h = strchr(optarg,'-'))) {
*h = 0;
diff -up libcdio-0.82/example/mmc2a.c.staticanal libcdio-0.82/example/mmc2a.c
--- libcdio-0.82/example/mmc2a.c.staticanal 2008-11-29 05:52:43.000000000 +0100
+++ libcdio-0.82/example/mmc2a.c 2011-05-30 10:52:10.427487951 +0200
@@ -41,7 +41,7 @@
static void
print_mode_sense (const char *psz_drive, const char *six_or_ten,
- const uint8_t buf[22])
+ const uint8_t buf[30])
{
printf("Mode sense %s information for %s:\n", six_or_ten, psz_drive);
if (buf[2] & 0x01) {
@@ -211,7 +211,7 @@ main(int argc, const char *argv[])
printf("Couldn't find CD\n");
return 1;
} else {
- uint8_t buf[22] = { 0, }; /* Place to hold returned data */
+ uint8_t buf[30] = { 0, }; /* Place to hold returned data */
char *psz_cd = cdio_get_default_device(p_cdio);
if (DRIVER_OP_SUCCESS == mmc_mode_sense_6(p_cdio, buf, sizeof(buf),
CDIO_MMC_CAPABILITIES_PAGE) ) {
diff -up libcdio-0.82/example/paranoia.c.staticanal libcdio-0.82/example/paranoia.c
--- libcdio-0.82/example/paranoia.c.staticanal 2009-04-20 13:03:15.000000000 +0200
+++ libcdio-0.82/example/paranoia.c 2011-05-30 10:52:10.428487951 +0200
@@ -129,6 +129,10 @@ main(int argc, const char *argv[])
track_t i_track = cdda_sector_gettrack(d, i_first_lsn);
lsn_t i_last_lsn = cdda_track_lastsector(d, i_track);
int fd = creat("track1s.wav", 0644);
+ if (-1 == fd) {
+ printf("Unable to create track1s.wav\n");
+ exit(1);
+ }
/* For demo purposes we'll read only 300 frames (about 4
seconds). We don't want this to take too long. On the other
diff -up libcdio-0.82/lib/cdda_interface/cddap_interface.c.staticanal libcdio-0.82/lib/cdda_interface/cddap_interface.c
--- libcdio-0.82/lib/cdda_interface/cddap_interface.c.staticanal 2008-11-29 05:52:43.000000000 +0100
+++ libcdio-0.82/lib/cdda_interface/cddap_interface.c 2011-05-30 10:52:10.431487951 +0200
@@ -281,6 +281,7 @@ verify_read_command(cdrom_drive_t *d)
if(!audioflag){
cdmessage(d,"\tCould not find any audio tracks on this disk.\n");
+ free(buff);
return(-403);
}
diff -up libcdio-0.82/lib/cdda_interface/common_interface.c.staticanal libcdio-0.82/lib/cdda_interface/common_interface.c
--- libcdio-0.82/lib/cdda_interface/common_interface.c.staticanal 2008-11-29 05:52:43.000000000 +0100
+++ libcdio-0.82/lib/cdda_interface/common_interface.c 2011-05-30 10:52:10.432487951 +0200
@@ -58,8 +58,8 @@ data_bigendianp(cdrom_drive_t *d)
float *a=calloc(1024,sizeof(float));
float *b=calloc(1024,sizeof(float));
long readsectors=5;
- int16_t *buff=malloc(readsectors*CDIO_CD_FRAMESIZE_RAW);
- memset(buff, 0, readsectors*CDIO_CD_FRAMESIZE_RAW);
+ int16_t *buff=malloc(readsectors*CDIO_CD_FRAMESIZE_RAW*sizeof(int16_t));
+ memset(buff, 0, readsectors*CDIO_CD_FRAMESIZE_RAW*sizeof(int16_t));
/* look at the starts of the audio tracks */
/* if real silence, tool in until some static is found */
diff -up libcdio-0.82/lib/cdda_interface/scan_devices.c.staticanal libcdio-0.82/lib/cdda_interface/scan_devices.c
--- libcdio-0.82/lib/cdda_interface/scan_devices.c.staticanal 2009-07-03 01:41:48.000000000 +0200
+++ libcdio-0.82/lib/cdda_interface/scan_devices.c 2011-05-30 10:52:10.433487951 +0200
@@ -323,7 +323,6 @@ cdda_identify_device_cdio(CdIo_t *p_cdio
snprintf( d->drive_model, i_len, "%s %s %s %s",
hw_info.psz_vendor, hw_info.psz_model, hw_info.psz_revision,
description );
- free(description);
} else {
d->drive_model=malloc( i_len );
snprintf( d->drive_model, i_len, "%s %s %s",
@@ -335,5 +334,8 @@ cdda_identify_device_cdio(CdIo_t *p_cdio
}
}
+ if (description)
+ free(description);
+
return(d);
}
diff -up libcdio-0.82/lib/driver/device.c.staticanal libcdio-0.82/lib/driver/device.c
--- libcdio-0.82/lib/driver/device.c.staticanal 2009-07-13 01:21:30.000000000 +0200
+++ libcdio-0.82/lib/driver/device.c 2011-05-30 10:52:10.435487951 +0200
@@ -1044,7 +1044,7 @@ driver_return_code_t
cdio_set_blocksize ( const CdIo_t *p_cdio, int i_blocksize )
{
if (!p_cdio) return DRIVER_OP_UNINIT;
- if (p_cdio->op.set_blocksize) return DRIVER_OP_UNSUPPORTED;
+ if (!p_cdio->op.set_blocksize) return DRIVER_OP_UNSUPPORTED;
return p_cdio->op.set_blocksize(p_cdio->env, i_blocksize);
}
diff -up libcdio-0.82/lib/driver/gnu_linux.c.staticanal libcdio-0.82/lib/driver/gnu_linux.c
--- libcdio-0.82/lib/driver/gnu_linux.c.staticanal 2009-07-03 01:31:58.000000000 +0200
+++ libcdio-0.82/lib/driver/gnu_linux.c 2011-05-30 10:52:10.437487951 +0200
@@ -194,12 +194,14 @@ check_mounts_linux(const char *mtab)
}
}
}
- if ( strcmp(mnt_type, "iso9660") == 0 ) {
- if (is_cdrom_linux(mnt_dev, mnt_type) > 0) {
- free(mnt_type);
- endmntent(mntfp);
- return mnt_dev;
- }
+ if ( mnt_dev && mnt_dev ) {
+ if ( strcmp(mnt_type, "iso9660") == 0 ) {
+ if (is_cdrom_linux(mnt_dev, mnt_type) > 0) {
+ free(mnt_type);
+ endmntent(mntfp);
+ return mnt_dev;
+ }
+ }
}
free(mnt_dev);
free(mnt_type);
diff -up libcdio-0.82/lib/driver/image/cdrdao.c.staticanal libcdio-0.82/lib/driver/image/cdrdao.c
--- libcdio-0.82/lib/driver/image/cdrdao.c.staticanal 2008-11-29 05:52:43.000000000 +0100
+++ libcdio-0.82/lib/driver/image/cdrdao.c 2011-05-30 10:52:10.438487951 +0200
@@ -621,18 +621,18 @@ parse_tocfile (_img_private_t *cd, const
goto format_error;
}
} else if (0 == strcmp ("COPY", psz_keyword)) {
- if (NULL != cd)
+ if (NULL != cd && i >= 0)
cd->tocent[i].flags |= CDIO_TRACK_FLAG_COPY_PERMITTED;
} else if (0 == strcmp ("PRE_EMPHASIS", psz_keyword)) {
- if (NULL != cd)
+ if (NULL != cd && i >= 0)
cd->tocent[i].flags |= CDIO_TRACK_FLAG_PRE_EMPHASIS;
/* TWO_CHANNEL_AUDIO */
} else if (0 == strcmp ("TWO_CHANNEL_AUDIO", psz_keyword)) {
- if (NULL != cd)
+ if (NULL != cd && i >= 0)
cd->tocent[i].flags &= ~CDIO_TRACK_FLAG_FOUR_CHANNEL_AUDIO;
/* FOUR_CHANNEL_AUDIO */
} else if (0 == strcmp ("FOUR_CHANNEL_AUDIO", psz_keyword)) {
- if (NULL != cd)
+ if (NULL != cd && i >= 0)
cd->tocent[i].flags |= CDIO_TRACK_FLAG_FOUR_CHANNEL_AUDIO;
/* ISRC "CCOOOYYSSSSS" */
diff -up libcdio-0.82/lib/driver/image/nrg.c.staticanal libcdio-0.82/lib/driver/image/nrg.c
--- libcdio-0.82/lib/driver/image/nrg.c.staticanal 2009-07-03 01:42:45.000000000 +0200
+++ libcdio-0.82/lib/driver/image/nrg.c 2011-05-30 10:52:10.440487951 +0200
@@ -182,6 +182,7 @@ parse_nrg (_img_private_t *p_env, const
long unsigned int footer_start;
long unsigned int size;
char *footer_buf = NULL;
+ if (!p_env) return false;
size = cdio_stream_stat (p_env->gen.data_source);
if (-1 == size) return false;
diff -up libcdio-0.82/lib/driver/mmc.c.staticanal libcdio-0.82/lib/driver/mmc.c
--- libcdio-0.82/lib/driver/mmc.c.staticanal 2008-11-29 05:52:43.000000000 +0100
+++ libcdio-0.82/lib/driver/mmc.c 2011-05-30 10:52:10.442487951 +0200
@@ -537,6 +537,7 @@ mmc_set_blocksize_private ( void *p_env,
memset (&mh, 0, sizeof (mh));
mh.block_desc_length = 0x08;
+ /* while i_blocksize is uint16_t, this expression is always 0 */
mh.block_length_hi = (i_blocksize >> 16) & 0xff;
mh.block_length_med = (i_blocksize >> 8) & 0xff;
mh.block_length_lo = (i_blocksize >> 0) & 0xff;
diff -up libcdio-0.82/lib/driver/read.c.staticanal libcdio-0.82/lib/driver/read.c
--- libcdio-0.82/lib/driver/read.c.staticanal 2008-11-29 05:52:43.000000000 +0100
+++ libcdio-0.82/lib/driver/read.c 2011-05-30 10:52:10.444487951 +0200
@@ -176,7 +176,7 @@ cdio_read_mode1_sector (const CdIo_t *p_
if (p_cdio->op.read_mode1_sector) {
return p_cdio->op.read_mode1_sector(p_cdio->env, p_buf, i_lsn, b_form2);
} else if (p_cdio->op.lseek && p_cdio->op.read) {
- char buf[CDIO_CD_FRAMESIZE] = { 0, };
+ char buf[M2RAW_SECTOR_SIZE] = { 0, };
if (0 > cdio_lseek(p_cdio, CDIO_CD_FRAMESIZE*i_lsn, SEEK_SET))
return -1;
if (0 > cdio_read(p_cdio, buf, CDIO_CD_FRAMESIZE))
diff -up libcdio-0.82/lib/iso9660/iso9660_fs.c.staticanal libcdio-0.82/lib/iso9660/iso9660_fs.c
--- libcdio-0.82/lib/iso9660/iso9660_fs.c.staticanal 2008-11-29 05:52:43.000000000 +0100
+++ libcdio-0.82/lib/iso9660/iso9660_fs.c 2011-05-30 10:52:10.446487951 +0200
@@ -192,10 +192,11 @@ iso9660_open_ext_private (const char *ps
return p_iso;
error:
- if (p_iso && p_iso->stream) {
+ if (p_iso->stream)
cdio_stdio_destroy(p_iso->stream);
- free(p_iso);
- }
+
+ free(p_iso);
+
return NULL;
}
@@ -1029,6 +1030,7 @@ _fs_stat_traverse (const CdIo_t *p_cdio,
if (!trans_fname) {
cdio_warn("can't allocate %lu bytes",
(long unsigned int) strlen(p_stat->filename));
+ free(p_stat);
return NULL;
}
trans_len = iso9660_name_translate_ext(p_stat->filename, trans_fname,
@@ -1135,6 +1137,7 @@ _fs_iso_stat_traverse (iso9660_t *p_iso,
if (!trans_fname) {
cdio_warn("can't allocate %lu bytes",
(long unsigned int) strlen(p_stat->filename));
+ free(p_stat);
return NULL;
}
trans_len = iso9660_name_translate_ext(p_stat->filename, trans_fname,
diff -up libcdio-0.82/lib/paranoia/paranoia.c.staticanal libcdio-0.82/lib/paranoia/paranoia.c
--- libcdio-0.82/lib/paranoia/paranoia.c.staticanal 2008-11-29 05:52:43.000000000 +0100
+++ libcdio-0.82/lib/paranoia/paranoia.c 2011-05-30 10:52:10.447487951 +0200
@@ -1357,14 +1357,14 @@ i_stage2_each(root_block *root, v_fragme
void(*callback)(long int, paranoia_cb_mode_t))
{
+ /* If this fragment has already been merged & freed, abort. */
+ if (!v || !v->one) return(0);
+
cdrom_paranoia_t *p=v->p;
/* ??? Why do we round down to an even dynoverlap? */
long dynoverlap=p->dynoverlap/2*2;
- /* If this fragment has already been merged & freed, abort. */
- if (!v || !v->one) return(0);
-
/* If there's no verified root yet, abort. */
if (!rv(root)){
return(0);
diff -up libcdio-0.82/lib/udf/udf_file.c.staticanal libcdio-0.82/lib/udf/udf_file.c
--- libcdio-0.82/lib/udf/udf_file.c.staticanal 2008-11-29 05:52:43.000000000 +0100
+++ libcdio-0.82/lib/udf/udf_file.c 2011-05-30 10:52:10.449487951 +0200
@@ -192,9 +192,10 @@ offset_to_lba(const udf_dirent_t *p_udf_
*/
*pi_max_size = 0;
printf("Don't know how to data in ICB handle yet\n");
-
+ return CDIO_INVALID_LBA;
case ICBTAG_FLAG_AD_EXTENDED:
printf("Don't know how to handle extended addresses yet\n");
+ return CDIO_INVALID_LBA;
default:
printf("Unsupported allocation descriptor %d\n", addr_ilk);
return CDIO_INVALID_LBA;
diff -up libcdio-0.82/lib/udf/udf_fs.c.staticanal libcdio-0.82/lib/udf/udf_fs.c
--- libcdio-0.82/lib/udf/udf_fs.c.staticanal 2008-11-29 05:52:43.000000000 +0100
+++ libcdio-0.82/lib/udf/udf_fs.c 2011-05-30 10:52:10.450487951 +0200
@@ -658,8 +658,9 @@ udf_readdir(udf_dirent_t *p_udf_dirent)
uint8_t data[UDF_BLOCKSIZE] = {0};
udf_file_entry_t *p_udf_fe = (udf_file_entry_t *) &data;
- udf_read_sectors(p_udf, p_udf_fe, p_udf->i_part_start
- + p_udf_dirent->fid->icb.loc.lba, 1);
+ if (DRIVER_OP_SUCCESS != udf_read_sectors(p_udf, p_udf_fe, p_udf->i_part_start
+ + p_udf_dirent->fid->icb.loc.lba, 1))
+ return NULL;
memcpy(&(p_udf_dirent->fe), p_udf_fe,
sizeof(udf_file_entry_t) + p_udf_fe->i_alloc_descs
diff -up libcdio-0.82/src/cd-info.c.staticanal libcdio-0.82/src/cd-info.c
--- libcdio-0.82/src/cd-info.c.staticanal 2008-11-29 05:52:43.000000000 +0100
+++ libcdio-0.82/src/cd-info.c 2011-05-30 10:52:10.451487951 +0200
@@ -530,6 +530,8 @@ print_iso9660_recurse (CdIo_t *p_cdio, c
if (NULL == p_entlist) {
report( stderr, "Error getting above directory information\n" );
+ free(translated_name);
+ free(p_dirlist);
return;
}
diff -up libcdio-0.82/src/cd-paranoia/cd-paranoia.c.staticanal libcdio-0.82/src/cd-paranoia/cd-paranoia.c
--- libcdio-0.82/src/cd-paranoia/cd-paranoia.c.staticanal 2009-07-12 01:40:25.000000000 +0200
+++ libcdio-0.82/src/cd-paranoia/cd-paranoia.c 2011-05-30 10:52:10.452487951 +0200
@@ -342,7 +342,7 @@ callback(long int inpos, paranoia_cb_mod
if (callscript)
fprintf(stderr, "##: %d [%s] @ %ld\n",
- function, ((int) function >= -2 && (int) function <= 13 ?
+ function, ((int) function >= -2 && (int) function < 13 ?
callback_strings[function+2] : ""),
inpos);
@@ -1138,6 +1138,11 @@ main(int argc,char *argv[])
if (optind+1<argc) {
if (!strcmp(argv[optind+1],"-") ){
out = dup(fileno(stdout));
+ if(out==-1){
+ report2("Cannot dupplicate stdout: %s",
+ strerror(errno));
+ exit(1);
+ }
if(batch)
report("Are you sure you wanted 'batch' "
"(-B) output with stdout?");
diff -up libcdio-0.82/src/cd-read.c.staticanal libcdio-0.82/src/cd-read.c
--- libcdio-0.82/src/cd-read.c.staticanal 2008-11-29 05:52:43.000000000 +0100
+++ libcdio-0.82/src/cd-read.c 2011-05-30 10:52:10.453487951 +0200
@@ -546,10 +546,13 @@ main(int argc, char *argv[])
break;
case READ_M1F2:
blocklen=M2RAW_SECTOR_SIZE;
+ break;
case READ_M2F1:
blocklen=CDIO_CD_FRAMESIZE;
+ break;
case READ_M2F2:
blocklen=M2F2_SECTOR_SIZE;
+ break;
default: ;
}
}
diff -up libcdio-0.82/src/iso-info.c.staticanal libcdio-0.82/src/iso-info.c
--- libcdio-0.82/src/iso-info.c.staticanal 2008-11-29 05:52:43.000000000 +0100
+++ libcdio-0.82/src/iso-info.c 2011-05-30 10:52:10.454487951 +0200
@@ -209,6 +209,8 @@ print_iso9660_recurse (iso9660_t *p_iso,
}
if (NULL == entlist) {
+ free(translated_name);
+ free(dirlist);
report( stderr, "Error getting above directory information\n" );
return;
}

View File

@ -1,6 +1,6 @@
Name: libcdio
Version: 0.82
Release: 4%{?dist}
Release: 5%{?dist}
Summary: CD-ROM input and control library
Group: System Environment/Libraries
License: GPLv3+
@ -10,6 +10,7 @@ Source1: http://ftp.gnu.org/gnu/libcdio/libcdio-0.82.tar.gz.sig
Source2: libcdio-no_date_footer.hml
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch1: libcdio-0.82-sprintf.patch
Patch2: libcdio-0.82-staticanal.patch
BuildRequires: pkgconfig doxygen
BuildRequires: ncurses-devel
BuildRequires: help2man
@ -37,6 +38,7 @@ This package contains header files and libraries for %{name}.
%prep
%setup -q
%patch1 -p1 -b .sprintf
%patch2 -p1 -b .staticanal
f=src/cd-paranoia/doc/ja/cd-paranoia.1.in
iconv -f euc-jp -t utf-8 -o $f.utf8 $f && mv $f.utf8 $f
@ -133,6 +135,9 @@ fi
%changelog
* Mon May 30 2011 Honza Horak <hhorak@redhat.com> - 0.82-5
- applied patch to fix issues found by static analyses
* Thu May 19 2011 Honza Horak <hhorak@redhat.com> - 0.82-4
- fixed #705673 buffer overflow and other unprotected sprintf calls