From 65baae721b78580c48059535996697fec059093e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Honza=20Hor=C3=A1k?= Date: Mon, 30 May 2011 11:53:29 +0200 Subject: [PATCH] applied patch to fix issues found by static analyses --- libcdio-0.82-staticanal.patch | 337 ++++++++++++++++++++++++++++++++++ libcdio.spec | 7 +- 2 files changed, 343 insertions(+), 1 deletion(-) create mode 100644 libcdio-0.82-staticanal.patch diff --git a/libcdio-0.82-staticanal.patch b/libcdio-0.82-staticanal.patch new file mode 100644 index 0000000..ba6886a --- /dev/null +++ b/libcdio-0.82-staticanal.patch @@ -0,0 +1,337 @@ +diff -up libcdio-0.82/example/audio.c.staticanal libcdio-0.82/example/audio.c +--- libcdio-0.82/example/audio.c.staticanal 2008-11-29 05:52:43.000000000 +0100 ++++ libcdio-0.82/example/audio.c 2011-05-30 10:52:10.426487951 +0200 +@@ -340,6 +340,7 @@ main(int argc, char *argv[]) + i_volume_level = atoi(optarg); + todo = SET_VOLUME; + } ++ break; + case 't': + if (NULL != (h = strchr(optarg,'-'))) { + *h = 0; +diff -up libcdio-0.82/example/mmc2a.c.staticanal libcdio-0.82/example/mmc2a.c +--- libcdio-0.82/example/mmc2a.c.staticanal 2008-11-29 05:52:43.000000000 +0100 ++++ libcdio-0.82/example/mmc2a.c 2011-05-30 10:52:10.427487951 +0200 +@@ -41,7 +41,7 @@ + + static void + print_mode_sense (const char *psz_drive, const char *six_or_ten, +- const uint8_t buf[22]) ++ const uint8_t buf[30]) + { + printf("Mode sense %s information for %s:\n", six_or_ten, psz_drive); + if (buf[2] & 0x01) { +@@ -211,7 +211,7 @@ main(int argc, const char *argv[]) + printf("Couldn't find CD\n"); + return 1; + } else { +- uint8_t buf[22] = { 0, }; /* Place to hold returned data */ ++ uint8_t buf[30] = { 0, }; /* Place to hold returned data */ + char *psz_cd = cdio_get_default_device(p_cdio); + if (DRIVER_OP_SUCCESS == mmc_mode_sense_6(p_cdio, buf, sizeof(buf), + CDIO_MMC_CAPABILITIES_PAGE) ) { +diff -up libcdio-0.82/example/paranoia.c.staticanal libcdio-0.82/example/paranoia.c +--- libcdio-0.82/example/paranoia.c.staticanal 2009-04-20 13:03:15.000000000 +0200 ++++ libcdio-0.82/example/paranoia.c 2011-05-30 10:52:10.428487951 +0200 +@@ -129,6 +129,10 @@ main(int argc, const char *argv[]) + track_t i_track = cdda_sector_gettrack(d, i_first_lsn); + lsn_t i_last_lsn = cdda_track_lastsector(d, i_track); + int fd = creat("track1s.wav", 0644); ++ if (-1 == fd) { ++ printf("Unable to create track1s.wav\n"); ++ exit(1); ++ } + + /* For demo purposes we'll read only 300 frames (about 4 + seconds). We don't want this to take too long. On the other +diff -up libcdio-0.82/lib/cdda_interface/cddap_interface.c.staticanal libcdio-0.82/lib/cdda_interface/cddap_interface.c +--- libcdio-0.82/lib/cdda_interface/cddap_interface.c.staticanal 2008-11-29 05:52:43.000000000 +0100 ++++ libcdio-0.82/lib/cdda_interface/cddap_interface.c 2011-05-30 10:52:10.431487951 +0200 +@@ -281,6 +281,7 @@ verify_read_command(cdrom_drive_t *d) + + if(!audioflag){ + cdmessage(d,"\tCould not find any audio tracks on this disk.\n"); ++ free(buff); + return(-403); + } + +diff -up libcdio-0.82/lib/cdda_interface/common_interface.c.staticanal libcdio-0.82/lib/cdda_interface/common_interface.c +--- libcdio-0.82/lib/cdda_interface/common_interface.c.staticanal 2008-11-29 05:52:43.000000000 +0100 ++++ libcdio-0.82/lib/cdda_interface/common_interface.c 2011-05-30 10:52:10.432487951 +0200 +@@ -58,8 +58,8 @@ data_bigendianp(cdrom_drive_t *d) + float *a=calloc(1024,sizeof(float)); + float *b=calloc(1024,sizeof(float)); + long readsectors=5; +- int16_t *buff=malloc(readsectors*CDIO_CD_FRAMESIZE_RAW); +- memset(buff, 0, readsectors*CDIO_CD_FRAMESIZE_RAW); ++ int16_t *buff=malloc(readsectors*CDIO_CD_FRAMESIZE_RAW*sizeof(int16_t)); ++ memset(buff, 0, readsectors*CDIO_CD_FRAMESIZE_RAW*sizeof(int16_t)); + + /* look at the starts of the audio tracks */ + /* if real silence, tool in until some static is found */ +diff -up libcdio-0.82/lib/cdda_interface/scan_devices.c.staticanal libcdio-0.82/lib/cdda_interface/scan_devices.c +--- libcdio-0.82/lib/cdda_interface/scan_devices.c.staticanal 2009-07-03 01:41:48.000000000 +0200 ++++ libcdio-0.82/lib/cdda_interface/scan_devices.c 2011-05-30 10:52:10.433487951 +0200 +@@ -323,7 +323,6 @@ cdda_identify_device_cdio(CdIo_t *p_cdio + snprintf( d->drive_model, i_len, "%s %s %s %s", + hw_info.psz_vendor, hw_info.psz_model, hw_info.psz_revision, + description ); +- free(description); + } else { + d->drive_model=malloc( i_len ); + snprintf( d->drive_model, i_len, "%s %s %s", +@@ -335,5 +334,8 @@ cdda_identify_device_cdio(CdIo_t *p_cdio + } + } + ++ if (description) ++ free(description); ++ + return(d); + } +diff -up libcdio-0.82/lib/driver/device.c.staticanal libcdio-0.82/lib/driver/device.c +--- libcdio-0.82/lib/driver/device.c.staticanal 2009-07-13 01:21:30.000000000 +0200 ++++ libcdio-0.82/lib/driver/device.c 2011-05-30 10:52:10.435487951 +0200 +@@ -1044,7 +1044,7 @@ driver_return_code_t + cdio_set_blocksize ( const CdIo_t *p_cdio, int i_blocksize ) + { + if (!p_cdio) return DRIVER_OP_UNINIT; +- if (p_cdio->op.set_blocksize) return DRIVER_OP_UNSUPPORTED; ++ if (!p_cdio->op.set_blocksize) return DRIVER_OP_UNSUPPORTED; + return p_cdio->op.set_blocksize(p_cdio->env, i_blocksize); + } + +diff -up libcdio-0.82/lib/driver/gnu_linux.c.staticanal libcdio-0.82/lib/driver/gnu_linux.c +--- libcdio-0.82/lib/driver/gnu_linux.c.staticanal 2009-07-03 01:31:58.000000000 +0200 ++++ libcdio-0.82/lib/driver/gnu_linux.c 2011-05-30 10:52:10.437487951 +0200 +@@ -194,12 +194,14 @@ check_mounts_linux(const char *mtab) + } + } + } +- if ( strcmp(mnt_type, "iso9660") == 0 ) { +- if (is_cdrom_linux(mnt_dev, mnt_type) > 0) { +- free(mnt_type); +- endmntent(mntfp); +- return mnt_dev; +- } ++ if ( mnt_dev && mnt_dev ) { ++ if ( strcmp(mnt_type, "iso9660") == 0 ) { ++ if (is_cdrom_linux(mnt_dev, mnt_type) > 0) { ++ free(mnt_type); ++ endmntent(mntfp); ++ return mnt_dev; ++ } ++ } + } + free(mnt_dev); + free(mnt_type); +diff -up libcdio-0.82/lib/driver/image/cdrdao.c.staticanal libcdio-0.82/lib/driver/image/cdrdao.c +--- libcdio-0.82/lib/driver/image/cdrdao.c.staticanal 2008-11-29 05:52:43.000000000 +0100 ++++ libcdio-0.82/lib/driver/image/cdrdao.c 2011-05-30 10:52:10.438487951 +0200 +@@ -621,18 +621,18 @@ parse_tocfile (_img_private_t *cd, const + goto format_error; + } + } else if (0 == strcmp ("COPY", psz_keyword)) { +- if (NULL != cd) ++ if (NULL != cd && i >= 0) + cd->tocent[i].flags |= CDIO_TRACK_FLAG_COPY_PERMITTED; + } else if (0 == strcmp ("PRE_EMPHASIS", psz_keyword)) { +- if (NULL != cd) ++ if (NULL != cd && i >= 0) + cd->tocent[i].flags |= CDIO_TRACK_FLAG_PRE_EMPHASIS; + /* TWO_CHANNEL_AUDIO */ + } else if (0 == strcmp ("TWO_CHANNEL_AUDIO", psz_keyword)) { +- if (NULL != cd) ++ if (NULL != cd && i >= 0) + cd->tocent[i].flags &= ~CDIO_TRACK_FLAG_FOUR_CHANNEL_AUDIO; + /* FOUR_CHANNEL_AUDIO */ + } else if (0 == strcmp ("FOUR_CHANNEL_AUDIO", psz_keyword)) { +- if (NULL != cd) ++ if (NULL != cd && i >= 0) + cd->tocent[i].flags |= CDIO_TRACK_FLAG_FOUR_CHANNEL_AUDIO; + + /* ISRC "CCOOOYYSSSSS" */ +diff -up libcdio-0.82/lib/driver/image/nrg.c.staticanal libcdio-0.82/lib/driver/image/nrg.c +--- libcdio-0.82/lib/driver/image/nrg.c.staticanal 2009-07-03 01:42:45.000000000 +0200 ++++ libcdio-0.82/lib/driver/image/nrg.c 2011-05-30 10:52:10.440487951 +0200 +@@ -182,6 +182,7 @@ parse_nrg (_img_private_t *p_env, const + long unsigned int footer_start; + long unsigned int size; + char *footer_buf = NULL; ++ if (!p_env) return false; + size = cdio_stream_stat (p_env->gen.data_source); + if (-1 == size) return false; + +diff -up libcdio-0.82/lib/driver/mmc.c.staticanal libcdio-0.82/lib/driver/mmc.c +--- libcdio-0.82/lib/driver/mmc.c.staticanal 2008-11-29 05:52:43.000000000 +0100 ++++ libcdio-0.82/lib/driver/mmc.c 2011-05-30 10:52:10.442487951 +0200 +@@ -537,6 +537,7 @@ mmc_set_blocksize_private ( void *p_env, + + memset (&mh, 0, sizeof (mh)); + mh.block_desc_length = 0x08; ++ /* while i_blocksize is uint16_t, this expression is always 0 */ + mh.block_length_hi = (i_blocksize >> 16) & 0xff; + mh.block_length_med = (i_blocksize >> 8) & 0xff; + mh.block_length_lo = (i_blocksize >> 0) & 0xff; +diff -up libcdio-0.82/lib/driver/read.c.staticanal libcdio-0.82/lib/driver/read.c +--- libcdio-0.82/lib/driver/read.c.staticanal 2008-11-29 05:52:43.000000000 +0100 ++++ libcdio-0.82/lib/driver/read.c 2011-05-30 10:52:10.444487951 +0200 +@@ -176,7 +176,7 @@ cdio_read_mode1_sector (const CdIo_t *p_ + if (p_cdio->op.read_mode1_sector) { + return p_cdio->op.read_mode1_sector(p_cdio->env, p_buf, i_lsn, b_form2); + } else if (p_cdio->op.lseek && p_cdio->op.read) { +- char buf[CDIO_CD_FRAMESIZE] = { 0, }; ++ char buf[M2RAW_SECTOR_SIZE] = { 0, }; + if (0 > cdio_lseek(p_cdio, CDIO_CD_FRAMESIZE*i_lsn, SEEK_SET)) + return -1; + if (0 > cdio_read(p_cdio, buf, CDIO_CD_FRAMESIZE)) +diff -up libcdio-0.82/lib/iso9660/iso9660_fs.c.staticanal libcdio-0.82/lib/iso9660/iso9660_fs.c +--- libcdio-0.82/lib/iso9660/iso9660_fs.c.staticanal 2008-11-29 05:52:43.000000000 +0100 ++++ libcdio-0.82/lib/iso9660/iso9660_fs.c 2011-05-30 10:52:10.446487951 +0200 +@@ -192,10 +192,11 @@ iso9660_open_ext_private (const char *ps + return p_iso; + + error: +- if (p_iso && p_iso->stream) { ++ if (p_iso->stream) + cdio_stdio_destroy(p_iso->stream); +- free(p_iso); +- } ++ ++ free(p_iso); ++ + return NULL; + } + +@@ -1029,6 +1030,7 @@ _fs_stat_traverse (const CdIo_t *p_cdio, + if (!trans_fname) { + cdio_warn("can't allocate %lu bytes", + (long unsigned int) strlen(p_stat->filename)); ++ free(p_stat); + return NULL; + } + trans_len = iso9660_name_translate_ext(p_stat->filename, trans_fname, +@@ -1135,6 +1137,7 @@ _fs_iso_stat_traverse (iso9660_t *p_iso, + if (!trans_fname) { + cdio_warn("can't allocate %lu bytes", + (long unsigned int) strlen(p_stat->filename)); ++ free(p_stat); + return NULL; + } + trans_len = iso9660_name_translate_ext(p_stat->filename, trans_fname, +diff -up libcdio-0.82/lib/paranoia/paranoia.c.staticanal libcdio-0.82/lib/paranoia/paranoia.c +--- libcdio-0.82/lib/paranoia/paranoia.c.staticanal 2008-11-29 05:52:43.000000000 +0100 ++++ libcdio-0.82/lib/paranoia/paranoia.c 2011-05-30 10:52:10.447487951 +0200 +@@ -1357,14 +1357,14 @@ i_stage2_each(root_block *root, v_fragme + void(*callback)(long int, paranoia_cb_mode_t)) + { + ++ /* If this fragment has already been merged & freed, abort. */ ++ if (!v || !v->one) return(0); ++ + cdrom_paranoia_t *p=v->p; + + /* ??? Why do we round down to an even dynoverlap? */ + long dynoverlap=p->dynoverlap/2*2; + +- /* If this fragment has already been merged & freed, abort. */ +- if (!v || !v->one) return(0); +- + /* If there's no verified root yet, abort. */ + if (!rv(root)){ + return(0); +diff -up libcdio-0.82/lib/udf/udf_file.c.staticanal libcdio-0.82/lib/udf/udf_file.c +--- libcdio-0.82/lib/udf/udf_file.c.staticanal 2008-11-29 05:52:43.000000000 +0100 ++++ libcdio-0.82/lib/udf/udf_file.c 2011-05-30 10:52:10.449487951 +0200 +@@ -192,9 +192,10 @@ offset_to_lba(const udf_dirent_t *p_udf_ + */ + *pi_max_size = 0; + printf("Don't know how to data in ICB handle yet\n"); +- ++ return CDIO_INVALID_LBA; + case ICBTAG_FLAG_AD_EXTENDED: + printf("Don't know how to handle extended addresses yet\n"); ++ return CDIO_INVALID_LBA; + default: + printf("Unsupported allocation descriptor %d\n", addr_ilk); + return CDIO_INVALID_LBA; +diff -up libcdio-0.82/lib/udf/udf_fs.c.staticanal libcdio-0.82/lib/udf/udf_fs.c +--- libcdio-0.82/lib/udf/udf_fs.c.staticanal 2008-11-29 05:52:43.000000000 +0100 ++++ libcdio-0.82/lib/udf/udf_fs.c 2011-05-30 10:52:10.450487951 +0200 +@@ -658,8 +658,9 @@ udf_readdir(udf_dirent_t *p_udf_dirent) + uint8_t data[UDF_BLOCKSIZE] = {0}; + udf_file_entry_t *p_udf_fe = (udf_file_entry_t *) &data; + +- udf_read_sectors(p_udf, p_udf_fe, p_udf->i_part_start +- + p_udf_dirent->fid->icb.loc.lba, 1); ++ if (DRIVER_OP_SUCCESS != udf_read_sectors(p_udf, p_udf_fe, p_udf->i_part_start ++ + p_udf_dirent->fid->icb.loc.lba, 1)) ++ return NULL; + + memcpy(&(p_udf_dirent->fe), p_udf_fe, + sizeof(udf_file_entry_t) + p_udf_fe->i_alloc_descs +diff -up libcdio-0.82/src/cd-info.c.staticanal libcdio-0.82/src/cd-info.c +--- libcdio-0.82/src/cd-info.c.staticanal 2008-11-29 05:52:43.000000000 +0100 ++++ libcdio-0.82/src/cd-info.c 2011-05-30 10:52:10.451487951 +0200 +@@ -530,6 +530,8 @@ print_iso9660_recurse (CdIo_t *p_cdio, c + + if (NULL == p_entlist) { + report( stderr, "Error getting above directory information\n" ); ++ free(translated_name); ++ free(p_dirlist); + return; + } + +diff -up libcdio-0.82/src/cd-paranoia/cd-paranoia.c.staticanal libcdio-0.82/src/cd-paranoia/cd-paranoia.c +--- libcdio-0.82/src/cd-paranoia/cd-paranoia.c.staticanal 2009-07-12 01:40:25.000000000 +0200 ++++ libcdio-0.82/src/cd-paranoia/cd-paranoia.c 2011-05-30 10:52:10.452487951 +0200 +@@ -342,7 +342,7 @@ callback(long int inpos, paranoia_cb_mod + + if (callscript) + fprintf(stderr, "##: %d [%s] @ %ld\n", +- function, ((int) function >= -2 && (int) function <= 13 ? ++ function, ((int) function >= -2 && (int) function < 13 ? + callback_strings[function+2] : ""), + inpos); + +@@ -1138,6 +1138,11 @@ main(int argc,char *argv[]) + if (optind+1 - 0.82-5 +- applied patch to fix issues found by static analyses + * Thu May 19 2011 Honza Horak - 0.82-4 - fixed #705673 buffer overflow and other unprotected sprintf calls