summaryrefslogtreecommitdiffstats
path: root/core/dive.h
diff options
context:
space:
mode:
authorGravatar Lubomir I. Ivanov <neolit123@gmail.com>2018-06-19 03:19:56 +0300
committerGravatar Dirk Hohndel <dirk@hohndel.org>2018-06-20 09:30:58 +0900
commit769aca9e956cd4bb7cc97be813968348f5e7f3d2 (patch)
tree4bd6d0a57efbce1b5b2885cce9993802ce3bbb06 /core/dive.h
parenta5380bb741c1081c86353cf5cd7b506b97e02ea9 (diff)
downloadsubsurface-769aca9e956cd4bb7cc97be813968348f5e7f3d2.tar.gz
equipment: sanitize 'tank_info' loop limits
In a number of places the global 'tank_info' array is being iterated based on a 'tank_info[idx].name != NULL' condition. This is dangerous because if the user has added a lot of tanks, such loops can reach 'tank_info[MAX_TANK_INFO]'. This is an out of bounds read and if the 'name' pointer there happens to be non-NULL, passing that address to a peace of code that tries to read it (like strlen()) would either SIGSEGV or have undefined behavior. Clamp all loops that iterate 'tank_info' to MAX_TANK_INFO. Signed-off-by: Lubomir I. Ivanov <neolit123@gmail.com>
Diffstat (limited to 'core/dive.h')
0 files changed, 0 insertions, 0 deletions