tinycap, tinyplay: Check *argv before dereferencing.

In several places, argv is incremented and *argv is dereferenced
without checking to see if it is valid to do so.  This could lead to a
buffer overrun if the user provides invalid parameters.

This patch generally changes this:

    if (strcmp(*argv, "-r") == 0) {
        argv++;
        rate = atoi(*argv);
    }
    argv++;

To this:

    if (strcmp(*argv, "-r") == 0) {
        argv++;
        if (*argv)
            rate = atoi(*argv);
    }
    if (*argv)
        argv++;

Signed-off-by: Gabriel M. Beddingfield <gabrbedd@ti.com>

2 files changed, 14 insertions, 7 deletions

diff --git a/tinycap.c b/tinycap.c
index 3eb5c60..586270b 100644
--- a/tinycap.c
+++ b/tinycap.c
@@ -93,18 +93,23 @@ int main(int argc, char **argv)
     while (*argv) {
         if (strcmp(*argv, "-d") == 0) {
             argv++;
-            device = atoi(*argv);
+            if (*argv)
+                device = atoi(*argv);
         } else if (strcmp(*argv, "-c") == 0) {
             argv++;
-            channels = atoi(*argv);
+            if (*argv)
+                channels = atoi(*argv);
         } else if (strcmp(*argv, "-r") == 0) {
             argv++;
-            rate = atoi(*argv);
+            if (*argv)
+                rate = atoi(*argv);
         } else if (strcmp(*argv, "-b") == 0) {
             argv++;
-            bits = atoi(*argv);
+            if (*argv)
+                bits = atoi(*argv);
         }
-        argv++;
+        if (*argv)
+            argv++;
     }
 
     header.riff_id = ID_RIFF;
diff --git a/tinyplay.c b/tinyplay.c
index 915a1ea..20b9ce3 100644
--- a/tinyplay.c
+++ b/tinyplay.c
@@ -79,9 +79,11 @@ int main(int argc, char **argv)
     while (*argv) {
         if (strcmp(*argv, "-d") == 0) {
             argv++;
-            device = atoi(*argv);
+            if (*argv)
+                device = atoi(*argv);
         }
-        argv++;
+        if (*argv)
+            argv++;
     }
 
     fread(&header, sizeof(struct wav_header), 1, file);