From: Petr Štetiar <ynezz@true.cz>
Date: Tue, 22 Oct 2019 12:05:39 +0000 (+0200)
Subject: fix possible copy of null buffer and validation of unitialized header
X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=dbc1b1b71b240ed61ea32eda610fde839d87c5f0;p=project%2Ffwtool.git

fix possible copy of null buffer and validation of unitialized header

scan-build from clang version 9 has reported following issues:

 fwtool.c:257:2: warning: Null pointer passed as an argument to a 'nonnull' parameter
        memcpy(dest, dbuf->cur + dbuf->cur_len - cur_len, cur_len);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 fwtool.c:275:20: warning: The left operand of '!=' is a garbage value
         if (hdr->version != 0)
             ~~~~~~~~~~~~ ^

Signed-off-by: Petr Štetiar <ynezz@true.cz>
---

diff --git a/fwtool.c b/fwtool.c
index c059331..e925b0b 100644
--- a/fwtool.c
+++ b/fwtool.c
@@ -251,7 +251,7 @@ extract_tail(struct data_buf *dbuf, void *dest, int len)
 	remove_tail(dbuf, cur_len);
 
 	cur_len = len - cur_len;
-	if (cur_len && !dbuf->cur)
+	if (cur_len < 0 || !dbuf->cur)
 		return 1;
 
 	memcpy(dest, dbuf->cur + dbuf->cur_len - cur_len, cur_len);
@@ -327,8 +327,10 @@ extract_data(const char *name)
 
 	while (1) {
 
-		if (extract_tail(&dbuf, &tr, sizeof(tr)))
+		if (extract_tail(&dbuf, &tr, sizeof(tr))) {
+			msg("unable to extract trailer header\n");
 			break;
+		}
 
 		if (tr.magic != cpu_to_be32(FWIMAGE_MAGIC)) {
 			msg("Data not found\n");
@@ -348,7 +350,10 @@ extract_data(const char *name)
 			break;
 		}
 
-		extract_tail(&dbuf, buf, data_len);
+		if (extract_tail(&dbuf, buf, data_len)) {
+			msg("unable to extract trailer data\n");
+			break;
+		}
 
 		if (tr.type == FWIMAGE_SIGNATURE) {
 			if (!signature_file)