From 969b9fbbf4fadbe48eb4d9fea071837d2d3eeb11 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Sat, 23 May 2020 20:39:47 -0700 Subject: Do not read past the end of fmt_desc[] Callers of parse_format() pass a size in bytes while the parse_format() function itself expects a number of elements. Fix this by making the fmt_desc[] array NULL-terminated. This patch fixes the following Coverity complaint: CID 300986 (#1 of 1): Out-of-bounds access (OVERRUN) overrun-buffer-arg: Overrunning array fmt_desc of 1 24-byte elements by passing it to a function which accesses it at element index 23 (byte offset 575) using argument 24U. Cc: Roman Pen Fixes: 634bd210c17a ("lib/pattern: add set of functions to parse combined pattern input") Signed-off-by: Bart Van Assche --- lib/pattern.c | 11 +++-------- lib/pattern.h | 1 - 2 files changed, 3 insertions(+), 9 deletions(-) (limited to 'lib') diff --git a/lib/pattern.c b/lib/pattern.c index 04d30657..680a12be 100644 --- a/lib/pattern.c +++ b/lib/pattern.c @@ -205,7 +205,6 @@ static const char *parse_number(const char *beg, char *out, * @parsed - number of bytes which were already parsed so far * @out_len - length of the output buffer * @fmt_desc - format descriptor array, what we expect to find - * @fmt_desc_sz - size of the format descriptor array * @fmt - format array, the output * @fmt_sz - size of format array * @@ -223,19 +222,18 @@ static const char *parse_number(const char *beg, char *out, static const char *parse_format(const char *in, char *out, unsigned int parsed, unsigned int out_len, unsigned int *filled, const struct pattern_fmt_desc *fmt_desc, - unsigned int fmt_desc_sz, struct pattern_fmt *fmt, unsigned int fmt_sz) { int i; struct pattern_fmt *f = NULL; unsigned int len = 0; - if (!out_len || !fmt_desc || !fmt_desc_sz || !fmt || !fmt_sz) + if (!out_len || !fmt_desc || !fmt || !fmt_sz) return NULL; assert(*in == '%'); - for (i = 0; i < fmt_desc_sz; i++) { + for (i = 0; fmt_desc[i].fmt; i++) { const struct pattern_fmt_desc *desc; desc = &fmt_desc[i]; @@ -267,7 +265,6 @@ static const char *parse_format(const char *in, char *out, unsigned int parsed, * @out - output buffer where parsed result will be put * @out_len - lengths of the output buffer * @fmt_desc - array of pattern format descriptors [input] - * @fmt_desc_sz - size of the format descriptor array * @fmt - array of pattern formats [output] * @fmt_sz - pointer where the size of pattern formats array stored [input], * after successfull parsing this pointer will contain the number @@ -311,7 +308,6 @@ static const char *parse_format(const char *in, char *out, unsigned int parsed, int parse_and_fill_pattern(const char *in, unsigned int in_len, char *out, unsigned int out_len, const struct pattern_fmt_desc *fmt_desc, - unsigned int fmt_desc_sz, struct pattern_fmt *fmt, unsigned int *fmt_sz_out) { @@ -340,8 +336,7 @@ int parse_and_fill_pattern(const char *in, unsigned int in_len, break; case '%': end = parse_format(beg, out, out - out_beg, out_len, - &filled, fmt_desc, fmt_desc_sz, - fmt, fmt_rem); + &filled, fmt_desc, fmt, fmt_rem); parsed_fmt = 1; break; default: diff --git a/lib/pattern.h b/lib/pattern.h index 2d655ad0..a6d9d6b4 100644 --- a/lib/pattern.h +++ b/lib/pattern.h @@ -24,7 +24,6 @@ struct pattern_fmt { int parse_and_fill_pattern(const char *in, unsigned int in_len, char *out, unsigned int out_len, const struct pattern_fmt_desc *fmt_desc, - unsigned int fmt_desc_sz, struct pattern_fmt *fmt, unsigned int *fmt_sz_out); -- cgit v1.2.3