Revision: 48523
http://brlcad.svn.sourceforge.net/brlcad/?rev=48523&view=rev
Author: erikgreenwald
Date: 2012-01-12 16:50:36 +0000 (Thu, 12 Jan 2012)
Log Message:
-----------
fix up handling of length reading. Cov1459.
Modified Paths:
--------------
brlcad/trunk/src/librt/db5_io.c
Modified: brlcad/trunk/src/librt/db5_io.c
===================================================================
--- brlcad/trunk/src/librt/db5_io.c 2012-01-12 16:48:41 UTC (rev 48522)
+++ brlcad/trunk/src/librt/db5_io.c 2012-01-12 16:50:36 UTC (rev 48523)
@@ -117,6 +117,7 @@
int
db5_decode_length(size_t *lenp, const unsigned char *cp, int format)
{
+ *lenp = 0;
switch (format) {
case DB5HDR_WIDTHCODE_8BIT:
*lenp = (*cp);
@@ -384,11 +385,12 @@
bu_log("db5_get_raw_internal_fp(): fread lenbuf error\n");
return -2;
}
- if (isdigit(*lenbuf) == 0) {
- bu_log("db5_get_raw_internal_fp(): lenbuf is bad value: \"%s\"\n",
lenbuf);
- return -2;
+
+ used += db5_decode_length(&rip->object_length, lenbuf,
rip->h_object_width);
+ if ( rip->object_length > UINTPTR_MAX>>3 ) {
+ bu_log("db5_get_raw_internal_fp() bad length read\n");
+ return -1;
}
- used += db5_decode_length(&rip->object_length, lenbuf,
rip->h_object_width);
rip->object_length <<= 3; /* cvt 8-byte chunks to byte count */
if ((size_t)rip->object_length < sizeof(struct db5_ondisk_header)) {
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
BRL-CAD Source Commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/brlcad-commits
