If idx is too large, segfault can happen. Also cycle is now detected properly.
Signed-off-by: Jan Friesse <[email protected]> --- tools/corosync-fplay.c | 13 +++++++++++++ 1 files changed, 13 insertions(+), 0 deletions(-) diff --git a/tools/corosync-fplay.c b/tools/corosync-fplay.c index f07e225..a18bbfc 100644 --- a/tools/corosync-fplay.c +++ b/tools/corosync-fplay.c @@ -350,6 +350,8 @@ static unsigned int printer_subsys_count = static uint32_t g_record[G_RECORD_SIZE]; +static int file_rewind = 0; + /* * Copy record, dealing with wrapping */ @@ -357,6 +359,11 @@ static int logsys_rec_get (int rec_idx) { uint32_t rec_size; int firstcopy, secondcopy; + if (rec_idx >= flt_data_size) { + fprintf (stderr, "rec_idx too large. Input file is probably corrupted.\n"); + exit (EXIT_FAILURE); + } + rec_size = flt_data[rec_idx]; firstcopy = rec_size; @@ -373,6 +380,12 @@ static int logsys_rec_get (int rec_idx) { } if (firstcopy + rec_idx > flt_data_size) { + if (file_rewind) { + fprintf (stderr, "file rewind for second time (cycle). Input file is probably corrupted.\n"); + exit (EXIT_FAILURE); + } + + file_rewind = 1; firstcopy = flt_data_size - rec_idx; secondcopy -= firstcopy - rec_size; } -- 1.7.1 _______________________________________________ discuss mailing list [email protected] http://lists.corosync.org/mailman/listinfo/discuss
