|
35 | 35 | #include "file.h" |
36 | 36 |
|
37 | 37 | #ifndef lint |
38 | | -FILE_RCSID("@(#)$File: cdf.c,v 1.45 2011/08/28 08:38:48 christos Exp $") |
| 38 | +FILE_RCSID("@(#)$File: cdf.c,v 1.46 2011/09/16 21:23:59 christos Exp $") |
39 | 39 | #endif |
40 | 40 |
|
41 | 41 | #include <assert.h> |
@@ -341,18 +341,25 @@ ssize_t |
341 | 341 | cdf_read_sector(const cdf_info_t *info, void *buf, size_t offs, size_t len, |
342 | 342 | const cdf_header_t *h, cdf_secid_t id) |
343 | 343 | { |
344 | | - assert((size_t)CDF_SEC_SIZE(h) == len); |
345 | | - return cdf_read(info, (off_t)CDF_SEC_POS(h, id), |
346 | | - ((char *)buf) + offs, len); |
| 344 | + size_t ss = CDF_SEC_SIZE(h); |
| 345 | + size_t pos = CDF_SEC_POS(h, id); |
| 346 | + assert(ss == len); |
| 347 | + return cdf_read(info, (off_t)pos, ((char *)buf) + offs, len); |
347 | 348 | } |
348 | 349 |
|
349 | 350 | ssize_t |
350 | 351 | cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs, |
351 | 352 | size_t len, const cdf_header_t *h, cdf_secid_t id) |
352 | 353 | { |
353 | | - assert((size_t)CDF_SHORT_SEC_SIZE(h) == len); |
| 354 | + size_t ss = CDF_SHORT_SEC_SIZE(h); |
| 355 | + size_t pos = CDF_SHORT_SEC_POS(h, id); |
| 356 | + assert(ss == len); |
| 357 | + if (sst->sst_len < (size_t)id) { |
| 358 | + DPRINTF(("bad sector id %d > %d\n", id, sst->sst_len)); |
| 359 | + return -1; |
| 360 | + } |
354 | 361 | (void)memcpy(((char *)buf) + offs, |
355 | | - ((const char *)sst->sst_tab) + CDF_SHORT_SEC_POS(h, id), len); |
| 362 | + ((const char *)sst->sst_tab) + pos, len); |
356 | 363 | return len; |
357 | 364 | } |
358 | 365 |
|
@@ -868,6 +875,8 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, |
868 | 875 | inp[i].pi_str.s_buf)); |
869 | 876 | l = 4 + (uint32_t)CDF_ROUND(l, sizeof(l)); |
870 | 877 | o += l >> 2; |
| 878 | + if (q + o >= e) |
| 879 | + goto out; |
871 | 880 | o4 = o * sizeof(uint32_t); |
872 | 881 | } |
873 | 882 | i--; |
|
0 commit comments