Here's a fix for the first memory overrun bug I found:
aix.c: Avoid memory overrun. Don't assume logical sector size <= 512B
* libparted/labels/aix.c (aix_probe): Return 0 if the
sector size is larger than our AixLabel size.
(aix_clobber): Rather than PED_ASSERT'ing that aix_probe returns 1,
simply return 0 if aix_probe returns fails.
diff --git a/libparted/labels/aix.c b/libparted/labels/aix.c
index a16ead4..9e2a7bb 100644
--- a/libparted/labels/aix.c
+++ b/libparted/labels/aix.c
@@ -48,6 +48,8 @@ aix_probe (const PedDevice *dev)
AixLabel label;
PED_ASSERT (dev != NULL, return 0);
+ if (sizeof (AixLabel) < dev->sector_size)
+ return 0;
if (!ped_device_read (dev, &label, 0, 1))
return 0;
@@ -65,7 +67,8 @@ aix_clobber (PedDevice* dev)
AixLabel label;
PED_ASSERT (dev != NULL, return 0);
- PED_ASSERT (aix_probe (dev), return 0);
+ if (!aix_probe (dev))
+ return 0;
if (!ped_device_read (dev, &label, 0, 1))
return 0;
-----------------------------------------------
The above is similar to what's done in dos.c's msdos_probe:
if (dev->sector_size != 512)
return 0;
Is it possible to have a DOS or AIX partition on a CDROM with 2048-byte
logical sectors? (I have no idea) If so, then it might make sense to
do what rdb.c's amiga_probe does:
if ((rdb=RDSK(ped_malloc(dev->sector_size)))==NULL)
return 0;
i.e., rather than simply returning when dev->sector_size is too large
or != 512, just allocate a buffer of the required size and use that,
rather than using the fixed-size one on the stack.
_______________________________________________
parted-devel mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/parted-devel
