devs/foxbox
1
0
Fork 0
forked from len0rd/rockbox
Code Pull requests Activity

skin_parser.c: fix possibile overflow in parse_setting_and_lang(). simplify comparison of string in parameter in parse_touchregion().

Browse source 
git-svn-id: svn://svn.rockbox.org/rockbox/trunk@26168 a1c6a512-1295-4272-9138-f99709370657
This commit is contained in:
Teruaki Kawashima 2010-05-19 15:47:54 +00:00
parent 12af4986b9
commit 0a4eda4d46
1 changed files with 17 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

33
apps/gui/skin_engine/skin_parser.c
View file

@ -1067,7 +1067,7 @@ static int parse_setting_and_lang(const char *wps_bufptr,
return WPS_ERROR_INVALID_PARAM; return WPS_ERROR_INVALID_PARAM;
ptr++; ptr++;
end = strchr(ptr,'|'); end = strchr(ptr,'|');
if (!end) if (!end || (size_t)(end-ptr+1) > sizeof temp)
return WPS_ERROR_INVALID_PARAM; return WPS_ERROR_INVALID_PARAM;
strlcpy(temp, ptr,end-ptr+1); strlcpy(temp, ptr,end-ptr+1);
@ -1084,9 +1084,7 @@ static int parse_setting_and_lang(const char *wps_bufptr,
/* Find the setting */ /* Find the setting */
for (i=0; i<nb_settings; i++) for (i=0; i<nb_settings; i++)
if (settings[i].cfg_name && if (settings[i].cfg_name &&
!strncmp(settings[i].cfg_name,ptr,end-ptr) && !strcmp(settings[i].cfg_name, temp))
/* prevent matches on cfg_name prefixes */
strlen(settings[i].cfg_name)==(size_t)(end-ptr))
break; break;
#ifndef __PCTOOL__ #ifndef __PCTOOL__
if (i == nb_settings) if (i == nb_settings)
@ -1510,10 +1508,11 @@ static int parse_touchregion(const char *wps_bufptr,
unsigned i, imax; unsigned i, imax;
struct touchregion *region = NULL; struct touchregion *region = NULL;
const char *ptr = wps_bufptr; const char *ptr = wps_bufptr;
const char *action; const char *action, *end;
const char pb_string[] = "progressbar"; const char pb_string[] = "progressbar";
const char vol_string[] = "volume"; const char vol_string[] = "volume";
int x,y,w,h; int x,y,w,h;
char temp[20];
/* format: %T|x|y|width|height|action| /* format: %T|x|y|width|height|action|
* if action starts with & the area must be held to happen * if action starts with & the area must be held to happen
@ -1561,11 +1560,15 @@ static int parse_touchregion(const char *wps_bufptr,
region->wvp = curr_vp; region->wvp = curr_vp;
region->armed = false; region->armed = false;
if(!strncmp(pb_string, action, sizeof(pb_string)-1) end = strchr(action, '|');
&& *(action + sizeof(pb_string)-1) == '|') if (!end || (size_t)(end-action+1) > sizeof temp)
return WPS_ERROR_INVALID_PARAM;
strlcpy(temp, action, end-action+1);
action = temp;
if(!strcmp(pb_string, action))
region->type = WPS_TOUCHREGION_SCROLLBAR; region->type = WPS_TOUCHREGION_SCROLLBAR;
else if(!strncmp(vol_string, action, sizeof(vol_string)-1) else if(!strcmp(vol_string, action))
&& *(action + sizeof(vol_string)-1) == '|')
region->type = WPS_TOUCHREGION_VOLUME; region->type = WPS_TOUCHREGION_VOLUME;
else else
{ {
@ -1579,17 +1582,15 @@ static int parse_touchregion(const char *wps_bufptr,
else else
region->repeat = false; region->repeat = false;
i = 0;
imax = ARRAYLEN(touchactions); imax = ARRAYLEN(touchactions);
while ((region->action == ACTION_NONE) && for (i = 0; i < imax; i++)
(i < imax))
{ {
/* try to match with one of our touchregion screens */ /* try to match with one of our touchregion screens */
int len = strlen(touchactions[i].s); if (!strcmp(touchactions[i].s, action))
if (!strncmp(touchactions[i].s, action, len) {
&& *(action+len) == '|')
region->action = touchactions[i].action; region->action = touchactions[i].action;
i++; break;
}
} }
if (region->action == ACTION_NONE) if (region->action == ACTION_NONE)
return WPS_ERROR_INVALID_PARAM; return WPS_ERROR_INVALID_PARAM;