From f3d87a2b164cd605620a8d2e5cd0b35bfc28ce2d Mon Sep 17 00:00:00 2001 From: Dirk Hohndel Date: Mon, 19 Nov 2012 20:02:34 -0800 Subject: Fix stupid off by one error in Uemis downloader We are accessing offset 24 in an array of length 24. To make things easier for the base64 conversion we just treat this as an off by three error and instead create an array large enough for 27 elements and convert a sufficient number of base64 chars to initialize all of them. Signed-off-by: Dirk Hohndel --- uemis-downloader.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/uemis-downloader.c b/uemis-downloader.c index 922aa90ae..adf400581 100644 --- a/uemis-downloader.c +++ b/uemis-downloader.c @@ -380,7 +380,7 @@ static void buffer_insert(char **buffer, int *buffer_size, char *buf) int obj_dive; int obj_log; int offset, len; - uint8_t hdr[24]; + uint8_t hdr[27]; /* since we want to insert into the buffer... if there's * nothing there, this makes absolutely no sense so just @@ -406,7 +406,7 @@ static void buffer_insert(char **buffer, int *buffer_size, char *buf) * some info from that in order to make sense of the data in * the dive info */ b64 = strstr(ptr, "") + 5; - decode(b64, hdr, 32); + decode(b64, hdr, 36); cbuf = convert_dive_details(buf, hdr); offset = ptr - *buffer; len = strlen(cbuf); -- cgit v1.2.3-70-g09d2 From 8e4d4970ecf348566046a5fd8aaee13a42b1a7e4 Mon Sep 17 00:00:00 2001 From: Dirk Hohndel Date: Mon, 19 Nov 2012 20:43:49 -0800 Subject: Fix another off by one error in Uemis native downloader And again buffer_insert contained the blatant bug. The code wasn't copying the trailing '\0' when extending the string, which usually didn't end up blowing up the code (and therefore kept the bug hidden until now) because of the way realloc reused memory - we just had trailing garbage strings. But sometimes we weren't so lucky and the strlen in a subsequent call of buffer_insert would run past the end of the allocated buffer. Oops. Signed-off-by: Dirk Hohndel --- uemis-downloader.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uemis-downloader.c b/uemis-downloader.c index adf400581..cf70776c8 100644 --- a/uemis-downloader.c +++ b/uemis-downloader.c @@ -413,7 +413,7 @@ static void buffer_insert(char **buffer, int *buffer_size, char *buf) *buffer_size += len; *buffer = realloc(*buffer, *buffer_size); ptr = *buffer + offset; - memmove(ptr + len, ptr, strlen(*buffer) - offset); + memmove(ptr + len, ptr, strlen(*buffer) - offset + 1); memmove(ptr, cbuf, len); } -- cgit v1.2.3-70-g09d2