Skip to content

Commit

Permalink
libticalcs: harden write to infos->product_name by checking the param…
Browse files Browse the repository at this point in the history 
… size.
  • Loading branch information
@adriweb @debrouxl
adriweb authored and debrouxl committed Jan 29, 2023
1 parent eb3d406 commit 5d01e98
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 15 deletions.
3 changes: 2 additions & 1 deletion libticalcs/trunk/src/calc_84p.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1762,7 +1762,8 @@ static int get_version (CalcHandle* handle, CalcInfos* infos)

if (params[i]->ok)
{
ticalcs_strlcpy(infos->product_name, (char *)params[i]->data, sizeof(infos->product_name));
const uint32_t maxsize = params[i]->size < sizeof(infos->product_name) ? params[i]->size + 1 : sizeof(infos->product_name);
ticalcs_strlcpy(infos->product_name, (char *)params[i]->data, maxsize);
infos_mask |= INFOS_PRODUCT_NAME;
}
i++;
Expand Down
3 changes: 2 additions & 1 deletion libticalcs/trunk/src/calc_89t.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1197,7 +1197,8 @@ static int get_version (CalcHandle* handle, CalcInfos* infos)

if (params1[i]->ok)
{
ticalcs_strlcpy(infos->product_name, (char *)params1[i]->data, sizeof(infos->product_name));
const uint32_t maxsize = params1[i]->size < sizeof(infos->product_name) ? params1[i]->size + 1 : sizeof(infos->product_name);
ticalcs_strlcpy(infos->product_name, (char *)params1[i]->data, maxsize);
infos_mask |= INFOS_PRODUCT_NAME;
}
i++;
Expand Down
42 changes: 29 additions & 13 deletions libticalcs/trunk/src/calc_nsp.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -513,18 +513,26 @@ static int get_memfree (CalcHandle* handle, uint32_t* ram, uint32_t* flash)
ret = nsp_cmd_r_dev_infos(handle, &cmd, &size, &data);
if (!ret)
{
*flash = ( (((uint32_t)data[4]) << 24)
| (((uint32_t)data[5]) << 16)
| (((uint32_t)data[6]) << 8)
| (((uint32_t)data[7]) ));

*ram = ( (((uint32_t)data[20]) << 24)
| (((uint32_t)data[21]) << 16)
| (((uint32_t)data[22]) << 8)
| (((uint32_t)data[23]) ));
if (size >= 24)
{
*flash = ( (((uint32_t)data[4]) << 24)
| (((uint32_t)data[5]) << 16)
| (((uint32_t)data[6]) << 8)
| (((uint32_t)data[7]) ));

*ram = ( (((uint32_t)data[20]) << 24)
| (((uint32_t)data[21]) << 16)
| (((uint32_t)data[22]) << 8)
| (((uint32_t)data[23]) ));
}
else
{
ret = ERR_INVALID_PACKET;
*flash = 0;
*ram = 0;
}

g_free(data);

}
}

Expand Down Expand Up @@ -747,8 +755,16 @@ static int recv_idlist (CalcHandle* handle, uint8_t* id)
ret = nsp_cmd_r_dev_infos(handle, &cmd, &size, &data);
if (!ret)
{
strncpy((char *)id, (char*)(data + 82), 28);
id[28] = 0;
if (size >= 110)
{
strncpy((char *)id, (char*)(data + 82), 28);
id[28] = 0;
}
else
{
ret = ERR_INVALID_PACKET;
id[0] = 0;
}
g_free(data);
}
}
Expand Down Expand Up @@ -906,7 +922,7 @@ static int get_version (CalcHandle* handle, CalcInfos* infos)
break;
}

ticalcs_strlcpy(infos->product_name, (char *)data, sizeof(infos->product_name));
ticalcs_strlcpy(infos->product_name, (char *)data, size < sizeof(infos->product_name) ? size + 1 : sizeof(infos->product_name));
infos_mask = INFOS_PRODUCT_NAME;

g_free(data);
Expand Down

0 comments on commit 5d01e98

Please sign in to comment.