The Mayhem Team found a crash caused by a nullptr.
Details are here:
http://www.forallsecure.com/bug-reports/567323cd26f180910beb03ae26afb40c432a0c6a/
Signed-off-by: Gregor Jasny <gja...@googlemail.com>
---
utils/keytable/keytable.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/utils/keytable/keytable.c b/utils/keytable/keytable.c
index 06b3d95..8bcd5c4 100644
--- a/utils/keytable/keytable.c
+++ b/utils/keytable/keytable.c
@@ -207,13 +207,19 @@ static error_t parse_keyfile(char *fname, char **table)
p++;
p = strtok(p, "\n\t =:");
do {
+ if (!p)
+ goto err_einval;
if (!strcmp(p, "table")) {
p = strtok(NULL,"\n, ");
+ if (!p)
+ goto err_einval;
*table = malloc(strlen(p) + 1);
strcpy(*table, p);
} else if (!strcmp(p, "type")) {
p = strtok(NULL, " ,\n");
do {
+ if (!p)
+ goto err_einval;
if (!strcasecmp(p,"rc5") ||
!strcasecmp(p,"rc-5"))
ch_proto |= RC_5;
else if (!strcasecmp(p,"rc6")
|| !strcasecmp(p,"rc-6"))
@@ -447,6 +453,8 @@ static error_t parse_opt(int k, char *arg, struct
argp_state *state)
case 'p':
p = strtok(arg, ",;");
do {
+ if (!p)
+ goto err_inval;
if (!strcasecmp(p,"rc5") || !strcasecmp(p,"rc-5"))
ch_proto |= RC_5;
else if (!strcasecmp(p,"rc6") || !strcasecmp(p,"rc-6"))
@@ -813,14 +821,19 @@ static int v1_get_sw_enabled_protocol(char *dirname)
return 0;
}
- p = strtok(buf, " \n");
- rc = atoi(p);
-
if (fclose(fp)) {
perror(name);
return errno;
}
+ p = strtok(buf, " \n");
+ if (!p) {
+ fprintf(stderr, "%s has invalid content: '%s'\n", name, buf);
+ return 0;
+ }
+
+ rc = atoi(p);
+
if (debug)
fprintf(stderr, "protocol %s is %s\n",
name, rc? "enabled" : "disabled");
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
