Roman I Khimov:

If cdf_count_chain() is called with sid < 0, then we end up returning zero length, which in turn leads to calloc() calls for 0 bytes in cdf_read_long_sector_chain(), cdf_read_short_sector_chain() and cdf_read_ssat(). Depending on calloc() implementation we can end up returning -1 or 0 from those. As negative sid is probably wrong case anyway, it might be better to always return -1. Issue found by clang static analysis.
file · May 13, 2014 · 961f384 · 961f384
1 parent 2d1b6fd
commit 961f384
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/cdf.c b/src/cdf.c
@@ -35,7 +35,7 @@
 #include "file.h"
 
 #ifndef lint
-FILE_RCSID("@(#)$File: cdf.c,v 1.56 2014/05/05 16:11:21 christos Exp $")
+FILE_RCSID("@(#)$File: cdf.c,v 1.57 2014/05/06 18:20:39 christos Exp $")
 #endif
 
 #include <assert.h>
@@ -472,6 +472,11 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
 		}
 		sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]);
 	}
+	if (i == 0) {
+		DPRINTF((" none, sid: %d\n", sid));
+		return (size_t)-1;
+
+	}
 	DPRINTF(("\n"));
 	return i;
 }