I found this problem quite casually while trying to see if the FreeBSD support worked on DragonFly. Basically when the nrg drive is built, and you call one of the programs in the suite with a short name (one or two characters), it segfaults. The problem is that the cdio_is_nrg() function tries to access memory after the end of the string without checking for its length before (yes there's the a check for i to be greater than 0, but being an unsigned int, it can't really become lesser than 0.
The attached patch solves the problem changing the code: instead of doing a
manual check on the last three characters, it first check the length of the
string, making sure it's at least 4 characters (".nrg"), then checks if the
last three characters are "nrg" with strncasecmp().
This is safe from segfaults.. still probably libmagic could help a bit more on
checking if a file is actually an nrg image :)
--
Diego "Flameeyes" Pettenò - http://dev.gentoo.org/~flameeyes/
Gentoo/ALT lead, Gentoo/FreeBSD, Video, AMD64, Sound, PAM, KDE
Index: libcdio-0.76/lib/driver/image/nrg.c
===================================================================
--- libcdio-0.76.orig/lib/driver/image/nrg.c
+++ libcdio-0.76/lib/driver/image/nrg.c
@@ -1173,21 +1173,14 @@ _get_track_green_nrg(void *p_user_data,
bool
cdio_is_nrg(const char *psz_nrg)
{
- unsigned int i;
+ size_t psz_len;
if (psz_nrg == NULL) return false;
+ psz_len = strlen(psz_nrg);
+ /* At least 4 characters needed for .nrg extension */
+ if ( psz_len < 4 ) return false;
- i=strlen(psz_nrg)-strlen("nrg");
-
- if (i>0) {
- if (psz_nrg[i]=='n' && psz_nrg[i+1]=='r' && psz_nrg[i+2]=='g') {
- return true;
- }
- else if (psz_nrg[i]=='N' && psz_nrg[i+1]=='R' && psz_nrg[i+2]=='G') {
- return true;
- }
- }
- return false;
+ return strncasecmp( psz_nrg+(psz_len-3), "nrg", 3 ) == 0;
}
/*!
pgpad7vk48rxN.pgp
Description: PGP signature
_______________________________________________ Libcdio-devel mailing list [email protected] http://lists.gnu.org/mailman/listinfo/libcdio-devel
