Corrupted files may contain items with rec_size larger then g_record buffer and/or flt_data_size.
Also g_record array size is now defined as constant. Signed-off-by: Jan Friesse <[email protected]> --- tools/corosync-fplay.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) diff --git a/tools/corosync-fplay.c b/tools/corosync-fplay.c index 2ecc06a..c5f778c 100644 --- a/tools/corosync-fplay.c +++ b/tools/corosync-fplay.c @@ -341,7 +341,9 @@ static struct printer_subsys printer_subsystems[] = { static unsigned int printer_subsys_count = sizeof (printer_subsystems) / sizeof (struct printer_subsys); -static unsigned int g_record[10000]; +#define G_RECORD_SIZE 10000 + +static unsigned int g_record[G_RECORD_SIZE]; /* * Copy record, dealing with wrapping @@ -354,6 +356,12 @@ static int logsys_rec_get (int rec_idx) { firstcopy = rec_size; secondcopy = 0; + + if (rec_size > G_RECORD_SIZE || rec_size > flt_data_size) { + fprintf (stderr, "rec_size too large. Input file is probably corrupted.\n"); + exit (EXIT_FAILURE); + } + if (firstcopy + rec_idx > flt_data_size) { firstcopy = flt_data_size - rec_idx; secondcopy -= firstcopy - rec_size; -- 1.6.2.5 _______________________________________________ Openais mailing list [email protected] https://lists.linux-foundation.org/mailman/listinfo/openais
