|
0 |
Author: Andreas Tille <tille@debian.org>
|
|
1 |
Last-Update: Mon, 14 Dec 2015 16:44:19 +0100
|
|
2 |
Bug-Debian: http://bugs.debian.org/715701,
|
|
3 |
http://bugs.debian.org/715702
|
|
4 |
Description: Fix crashes reported by Mayhem
|
|
5 |
See http://www.drpaulcarter.com/cs/common-c-errors.php#4.1
|
|
6 |
to make fgetc() more safe. However, the original problem is
|
|
7 |
that for empty strings no space at all is allocated. This is
|
|
8 |
now done in advance.
|
|
9 |
|
|
10 |
--- a/src/ICM/build-fixed.cc
|
|
11 |
+++ b/src/ICM/build-fixed.cc
|
|
12 |
@@ -234,20 +234,24 @@ static int Read_String
|
|
13 |
{
|
|
14 |
int ch, ct;
|
|
15 |
|
|
16 |
- while ((ch = fgetc (fp)) != EOF && ch != '>')
|
|
17 |
+ while ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
|
|
18 |
;
|
|
19 |
|
|
20 |
if (ch == EOF)
|
|
21 |
return FALSE;
|
|
22 |
|
|
23 |
ct = 0;
|
|
24 |
- while ((ch = fgetc (fp)) != EOF && ch != '\n' && isspace (ch))
|
|
25 |
+ while ((ch = fgetc (fp)) != EOF && ch != ((int) '\n') && isspace (ch))
|
|
26 |
;
|
|
27 |
if (ch == EOF)
|
|
28 |
return FALSE;
|
|
29 |
- if (ch != '\n' && ! isspace (ch))
|
|
30 |
+ if (ch != ((int) '\n') && ! isspace (ch))
|
|
31 |
ungetc (ch, fp);
|
|
32 |
- while ((ch = fgetc (fp)) != EOF && ch != '\n')
|
|
33 |
+ if (tag_size == 0 ) {
|
|
34 |
+ tag_size += INCR_SIZE;
|
|
35 |
+ tag = (char *) Safe_realloc (tag, tag_size);
|
|
36 |
+ }
|
|
37 |
+ while ((ch = fgetc (fp)) != EOF && ch != ((int) '\n'))
|
|
38 |
{
|
|
39 |
if (ct >= tag_size - 1)
|
|
40 |
{
|
|
41 |
@@ -259,7 +263,11 @@ static int Read_String
|
|
42 |
tag [ct ++] = '\0';
|
|
43 |
|
|
44 |
ct = 0;
|
|
45 |
- while ((ch = fgetc (fp)) != EOF && ch != '>')
|
|
46 |
+ if (s_size == 0) {
|
|
47 |
+ s_size += INCR_SIZE;
|
|
48 |
+ s = (char *) Safe_realloc (s, s_size);
|
|
49 |
+ }
|
|
50 |
+ while ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
|
|
51 |
{
|
|
52 |
if (isspace (ch))
|
|
53 |
continue;
|
|
54 |
--- a/src/ICM/build-icm.cc
|
|
55 |
+++ b/src/ICM/build-icm.cc
|
|
56 |
@@ -271,20 +271,24 @@ static int Read_String
|
|
57 |
{
|
|
58 |
int ch, ct;
|
|
59 |
|
|
60 |
- while ((ch = fgetc (fp)) != EOF && ch != '>')
|
|
61 |
+ while ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
|
|
62 |
;
|
|
63 |
|
|
64 |
if (ch == EOF)
|
|
65 |
return FALSE;
|
|
66 |
|
|
67 |
ct = 0;
|
|
68 |
- while ((ch = fgetc (fp)) != EOF && ch != '\n' && isspace (ch))
|
|
69 |
+ while ((ch = fgetc (fp)) != EOF && ch != ((int) '\n') && isspace (ch))
|
|
70 |
;
|
|
71 |
if (ch == EOF)
|
|
72 |
return FALSE;
|
|
73 |
if (ch != '\n' && ! isspace (ch))
|
|
74 |
ungetc (ch, fp);
|
|
75 |
- while ((ch = fgetc (fp)) != EOF && ch != '\n')
|
|
76 |
+ if (tag_size == 0) {
|
|
77 |
+ tag_size += INCR_SIZE;
|
|
78 |
+ tag = (char *) Safe_realloc (tag, tag_size);
|
|
79 |
+ }
|
|
80 |
+ while ((ch = fgetc (fp)) != EOF && ch != ((int) '\n'))
|
|
81 |
{
|
|
82 |
if (ct >= tag_size - 1)
|
|
83 |
{
|
|
84 |
@@ -296,7 +300,11 @@ static int Read_String
|
|
85 |
tag [ct ++] = '\0';
|
|
86 |
|
|
87 |
ct = 0;
|
|
88 |
- while ((ch = fgetc (fp)) != EOF && ch != '>')
|
|
89 |
+ if (s_size == 0) {
|
|
90 |
+ s_size += INCR_SIZE;
|
|
91 |
+ s = (char *) Safe_realloc (s, s_size);
|
|
92 |
+ }
|
|
93 |
+ while ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
|
|
94 |
{
|
|
95 |
if (isspace (ch))
|
|
96 |
continue;
|
|
97 |
--- a/src/ICM/score-fixed.cc
|
|
98 |
+++ b/src/ICM/score-fixed.cc
|
|
99 |
@@ -163,20 +163,24 @@ int Read_String
|
|
100 |
{
|
|
101 |
int ch, ct;
|
|
102 |
|
|
103 |
- while ((ch = fgetc (fp)) != EOF && ch != '>')
|
|
104 |
+ while ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
|
|
105 |
;
|
|
106 |
|
|
107 |
if (ch == EOF)
|
|
108 |
return FALSE;
|
|
109 |
|
|
110 |
ct = 0;
|
|
111 |
- while ((ch = fgetc (fp)) != EOF && ch != '\n' && isspace (ch))
|
|
112 |
+ while ((ch = fgetc (fp)) != EOF && ch != ((int) '\n') && isspace (ch))
|
|
113 |
;
|
|
114 |
if (ch == EOF)
|
|
115 |
return FALSE;
|
|
116 |
if (ch != '\n' && ! isspace (ch))
|
|
117 |
ungetc (ch, fp);
|
|
118 |
- while ((ch = fgetc (fp)) != EOF && ch != '\n')
|
|
119 |
+ if (tag_size == 0 ) {
|
|
120 |
+ tag_size += INCR_SIZE;
|
|
121 |
+ tag = (char *) Safe_realloc (tag, tag_size);
|
|
122 |
+ }
|
|
123 |
+ while ((ch = fgetc (fp)) != EOF && ch != ((int) '\n'))
|
|
124 |
{
|
|
125 |
if (ct >= tag_size - 1)
|
|
126 |
{
|
|
127 |
@@ -188,7 +192,11 @@ int Read_String
|
|
128 |
tag [ct ++] = '\0';
|
|
129 |
|
|
130 |
ct = 0;
|
|
131 |
- while ((ch = fgetc (fp)) != EOF && ch != '>')
|
|
132 |
+ if (s_size == 0) {
|
|
133 |
+ s_size += INCR_SIZE;
|
|
134 |
+ s = (char *) Safe_realloc (s, s_size);
|
|
135 |
+ }
|
|
136 |
+ while ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
|
|
137 |
{
|
|
138 |
if (isspace (ch))
|
|
139 |
continue;
|