diff options
author | Sami Tolvanen <samitolvanen@google.com> | 2015-05-12 13:48:46 +0200 |
---|---|---|
committer | Sami Tolvanen <samitolvanen@google.com> | 2015-05-15 19:48:28 +0200 |
commit | f2bac04e1ba0a5b79f8adbc35b493923b776f8b2 (patch) | |
tree | 760b6e7841c67fe9b299501b3042009c43a524bf | |
parent | Merge "init sets the default PATH itself, better." (diff) | |
download | android_bootable_recovery-f2bac04e1ba0a5b79f8adbc35b493923b776f8b2.tar android_bootable_recovery-f2bac04e1ba0a5b79f8adbc35b493923b776f8b2.tar.gz android_bootable_recovery-f2bac04e1ba0a5b79f8adbc35b493923b776f8b2.tar.bz2 android_bootable_recovery-f2bac04e1ba0a5b79f8adbc35b493923b776f8b2.tar.lz android_bootable_recovery-f2bac04e1ba0a5b79f8adbc35b493923b776f8b2.tar.xz android_bootable_recovery-f2bac04e1ba0a5b79f8adbc35b493923b776f8b2.tar.zst android_bootable_recovery-f2bac04e1ba0a5b79f8adbc35b493923b776f8b2.zip |
-rw-r--r-- | updater/blockimg.c | 81 |
1 files changed, 71 insertions, 10 deletions
diff --git a/updater/blockimg.c b/updater/blockimg.c index 532e7b845..a98cdcccf 100644 --- a/updater/blockimg.c +++ b/updater/blockimg.c @@ -60,30 +60,91 @@ typedef struct { int pos[0]; } RangeSet; +#define RANGESET_MAX_POINTS \ + ((int)((INT_MAX / sizeof(int)) - sizeof(RangeSet))) + static RangeSet* parse_range(char* text) { char* save; - int num; - num = strtol(strtok_r(text, ",", &save), NULL, 0); + char* token; + int i, num; + long int val; + RangeSet* out = NULL; + size_t bufsize; - RangeSet* out = malloc(sizeof(RangeSet) + num * sizeof(int)); - if (out == NULL) { - fprintf(stderr, "failed to allocate range of %zu bytes\n", - sizeof(RangeSet) + num * sizeof(int)); - exit(1); + if (!text) { + goto err; + } + + token = strtok_r(text, ",", &save); + + if (!token) { + goto err; + } + + val = strtol(token, NULL, 0); + + if (val < 2 || val > RANGESET_MAX_POINTS) { + goto err; + } else if (val % 2) { + goto err; // must be even + } + + num = (int) val; + bufsize = sizeof(RangeSet) + num * sizeof(int); + + out = malloc(bufsize); + + if (!out) { + fprintf(stderr, "failed to allocate range of %zu bytes\n", bufsize); + goto err; } + out->count = num / 2; out->size = 0; - int i; + for (i = 0; i < num; ++i) { - out->pos[i] = strtol(strtok_r(NULL, ",", &save), NULL, 0); - if (i%2) { + token = strtok_r(NULL, ",", &save); + + if (!token) { + goto err; + } + + val = strtol(token, NULL, 0); + + if (val < 0 || val > INT_MAX) { + goto err; + } + + out->pos[i] = (int) val; + + if (i % 2) { + if (out->pos[i - 1] >= out->pos[i]) { + goto err; // empty or negative range + } + + if (out->size > INT_MAX - out->pos[i]) { + goto err; // overflow + } + out->size += out->pos[i]; } else { + if (out->size < 0) { + goto err; + } + out->size -= out->pos[i]; } } + if (out->size <= 0) { + goto err; + } + return out; + +err: + fprintf(stderr, "failed to parse range '%s'\n", text ? text : "NULL"); + exit(1); } static int range_overlaps(RangeSet* r1, RangeSet* r2) { |