diff options
author | Gabriel M. Beddingfield <gabrbedd@ti.com> | 2011-11-28 17:17:00 -0600 |
---|---|---|
committer | Gabriel M. Beddingfield <gabrbedd@ti.com> | 2012-02-08 16:58:27 -0600 |
commit | 3e3376a4b73e0475d6e1be9cf533ea4ae0674ee3 (patch) | |
tree | 12ddcb10ef5f64c3381ad00e7f31b8036fc0a8b8 | |
parent | 80085d470d189362ddb6dda9bba6ee05fe7c84c6 (diff) |
tinycap, tinyplay: Check *argv before dereferencing.
In several places, argv is incremented and *argv is dereferenced
without checking to see if it is valid to do so. This could lead to a
buffer overrun if the user provides invalid parameters.
This patch generally changes this:
if (strcmp(*argv, "-r") == 0) {
argv++;
rate = atoi(*argv);
}
argv++;
To this:
if (strcmp(*argv, "-r") == 0) {
argv++;
if (*argv)
rate = atoi(*argv);
}
if (*argv)
argv++;
Signed-off-by: Gabriel M. Beddingfield <gabrbedd@ti.com>
-rw-r--r-- | tinycap.c | 15 | ||||
-rw-r--r-- | tinyplay.c | 6 |
2 files changed, 14 insertions, 7 deletions
@@ -93,18 +93,23 @@ int main(int argc, char **argv) while (*argv) { if (strcmp(*argv, "-d") == 0) { argv++; - device = atoi(*argv); + if (*argv) + device = atoi(*argv); } else if (strcmp(*argv, "-c") == 0) { argv++; - channels = atoi(*argv); + if (*argv) + channels = atoi(*argv); } else if (strcmp(*argv, "-r") == 0) { argv++; - rate = atoi(*argv); + if (*argv) + rate = atoi(*argv); } else if (strcmp(*argv, "-b") == 0) { argv++; - bits = atoi(*argv); + if (*argv) + bits = atoi(*argv); } - argv++; + if (*argv) + argv++; } header.riff_id = ID_RIFF; @@ -79,9 +79,11 @@ int main(int argc, char **argv) while (*argv) { if (strcmp(*argv, "-d") == 0) { argv++; - device = atoi(*argv); + if (*argv) + device = atoi(*argv); } - argv++; + if (*argv) + argv++; } fread(&header, sizeof(struct wav_header), 1, file); |