From 3e3376a4b73e0475d6e1be9cf533ea4ae0674ee3 Mon Sep 17 00:00:00 2001 From: "Gabriel M. Beddingfield" Date: Mon, 28 Nov 2011 17:17:00 -0600 Subject: tinycap, tinyplay: Check *argv before dereferencing. In several places, argv is incremented and *argv is dereferenced without checking to see if it is valid to do so. This could lead to a buffer overrun if the user provides invalid parameters. This patch generally changes this: if (strcmp(*argv, "-r") == 0) { argv++; rate = atoi(*argv); } argv++; To this: if (strcmp(*argv, "-r") == 0) { argv++; if (*argv) rate = atoi(*argv); } if (*argv) argv++; Signed-off-by: Gabriel M. Beddingfield --- tinycap.c | 15 ++++++++++----- tinyplay.c | 6 ++++-- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/tinycap.c b/tinycap.c index 3eb5c60..586270b 100644 --- a/tinycap.c +++ b/tinycap.c @@ -93,18 +93,23 @@ int main(int argc, char **argv) while (*argv) { if (strcmp(*argv, "-d") == 0) { argv++; - device = atoi(*argv); + if (*argv) + device = atoi(*argv); } else if (strcmp(*argv, "-c") == 0) { argv++; - channels = atoi(*argv); + if (*argv) + channels = atoi(*argv); } else if (strcmp(*argv, "-r") == 0) { argv++; - rate = atoi(*argv); + if (*argv) + rate = atoi(*argv); } else if (strcmp(*argv, "-b") == 0) { argv++; - bits = atoi(*argv); + if (*argv) + bits = atoi(*argv); } - argv++; + if (*argv) + argv++; } header.riff_id = ID_RIFF; diff --git a/tinyplay.c b/tinyplay.c index 915a1ea..20b9ce3 100644 --- a/tinyplay.c +++ b/tinyplay.c @@ -79,9 +79,11 @@ int main(int argc, char **argv) while (*argv) { if (strcmp(*argv, "-d") == 0) { argv++; - device = atoi(*argv); + if (*argv) + device = atoi(*argv); } - argv++; + if (*argv) + argv++; } fread(&header, sizeof(struct wav_header), 1, file); -- cgit v1.2.3