diff options
author | William Wilgus <wilgus.william@gmail.com> | 2024-06-05 01:03:13 -0400 |
---|---|---|
committer | William Wilgus <me.theuser@yahoo.com> | 2024-06-05 19:13:47 -0400 |
commit | e54dedd8df7de98ccbc082afadf977f56ce8259f (patch) | |
tree | 6221ea0b4145aab4f1558cc621a119e05e187d29 | |
parent | 74552d5404e6ada5a37042d8de789784d914a080 (diff) | |
download | rockbox-e54dedd8df.tar.gz rockbox-e54dedd8df.zip |
[coverity] fat.c fatlong_parse_entry() buffer overrun, fix warning basisname
BYTES2INT16() uses [i + 0] and [i + 1] therefore 30 is the max element
available in the raw byte array of size 32
(((uint32_t)array[pos+0] << 0) | \
((uint32_t)array[pos+1] << 8))
struct /* raw byte array */
{
uint8_t data[32];
};
basisname is only uninitialized in the . and .. dir entries
both are likely false positives but cheap enough to guard against
Change-Id: Iab3d186fed6050d2d61185071765a2c0feb9515f
-rw-r--r-- | firmware/drivers/fat.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/firmware/drivers/fat.c b/firmware/drivers/fat.c index 20c8f2b8e0..ebf0f92798 100644 --- a/firmware/drivers/fat.c +++ b/firmware/drivers/fat.c @@ -659,11 +659,14 @@ static inline unsigned int longent_char_next(unsigned int i) { switch (i += 2) { + /* flip endian for elements 14 - 27 */ case 26: i -= 1; /* return 28 */ + /* Fall-Through */ case 11: i += 3; /* return 14 */ } - - return i < 32 ? i : 0; + /* BYTES2INT16() uses [i + 0] and [i + 1] therefore + * 30 is the max element available in the raw byte array of size 32 */ + return i < 31 ? i : 0; } /* initialize the parse state; call before parsing first long entry */ @@ -1708,6 +1711,7 @@ static int add_dir_entry(struct bpb *fat_bpb, struct fat_filestr *parentstr, int dots = strlcpy(shortname, name, 11); memset(&shortname[dots], ' ', 11 - dots); entries_needed = 1; + basisname[0] = '\0'; } else { |