[hackers] [PATCH 2/8] od: Don't advance past end of type string

From: Michael Forney <mforney_AT_mforney.org>
Date: Fri, 8 Jul 2016 10:24:08 -0700

Currently, if you specify -t x, then s is advanced once in the switch statement
to determine the length, and then once again in the for loop, resulting in a
read past the end of the argument.

Also, use sizeof(int) when no length is specified, as specified by POSIX.

---
 od.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)
diff --git a/od.c b/od.c
index c448ac5..9b83501 100644
--- a/od.c
+++ b/od.c
_AT_@ -196,7 +196,7 @@ main(int argc, char *argv[])
 {
 	FILE *fp;
 	struct type *t;
-	int ret = 0;
+	int ret = 0, len;
 	char *s;
 
 	big_endian = (*(uint16_t *)"\0\xff" == 0xff);
_AT_@ -244,30 +244,28 @@ main(int argc, char *argv[])
 			case 'o':
 			case 'u':
 			case 'x':
-				t = emalloc(sizeof(*t));
-				t->format = *s;
 				/* todo: allow multiple digits */
 				if (*(s+1) > '0' && *(s+1) <= '9') {
-					t->len = *(++s) - '0';
+					len = *(s+1) - '0';
 				} else {
-					switch (*(++s)) {
+					switch (*(s+1)) {
 					case 'C':
-						t->len = sizeof(char);
+						len = sizeof(char);
 						break;
 					case 'S':
-						t->len = sizeof(short);
+						len = sizeof(short);
 						break;
 					case 'I':
-						t->len = sizeof(int);
+						len = sizeof(int);
 						break;
 					case 'L':
-						t->len = sizeof(long);
+						len = sizeof(long);
 						break;
 					default:
-						t->len = 4;
+						len = sizeof(int);
 					}
 				}
-				TAILQ_INSERT_TAIL(&head, t, entry);
+				addtype(*s++, len);
 				break;
 			default:
 				usage();
-- 
2.6.2

Received on Fri Jul 08 2016 - 19:24:08 CEST