Chameleon

Chameleon Commit Details

Date:2012-11-14 11:14:45 (8 years 19 days ago)
Author:armel cadet-petit
Commit:2121
Parents: 2120
Message:Security fixes
Changes:
M/branches/cparm/i386/libsaio/device_tree.c
M/branches/cparm/i386/modules/USBFix/usb.c
M/branches/cparm/i386/libsaio/convert.c
M/branches/cparm/i386/libsaio/hfs.c
M/branches/cparm/i386/util/fdisk/disk.c
M/branches/cparm/i386/libsaio/hfs_compare.c
M/branches/cparm/i386/libsaio/fake_efi.c
M/branches/cparm/i386/libsaio/device_inject.c
M/branches/cparm/i386/util/fdisk/fdisk.c
M/branches/cparm/i386/libsaio/CoreHash.c
M/branches/cparm/i386/libsaio/ufs.c
M/branches/cparm/i386/modules/HibernateEnabler/bmdecompress.c
M/branches/cparm/i386/modules/KernelPatcher/kernel_patcher.c
M/branches/cparm/i386/modules/GUI/picopng.c
M/branches/cparm/i386/util/fdisk/user.c
M/branches/cparm/i386/util/fdisk/mbr.c

File differences

branches/cparm/i386/libsaio/device_tree.c
353353
354354
355355
356
357
358
359
356
360357
361358
362359
}
}
if (child == 0 && createIfMissing) {
DPRINTF("Creating node\n");
//char *str = malloc(strlen(nameBuf) + 1);
// XXX this will leak
//strcpy(str, nameBuf);
DPRINTF("Creating node\n");
const char *str = newString(nameBuf);
if (str) {
branches/cparm/i386/libsaio/hfs.c
339339
340340
341341
342
342
343343
344344
345345
......
360360
361361
362362
363
363
364364
365365
366366
......
368368
369369
370370
371
371
372372
373373
374374
......
611611
612612
613613
614
615
616
617
614618
615619
616620
......
743747
744748
745749
750
751
752
753
746754
747755
748756
if ((dirFlags & kFileTypeMask) != kFileTypeUnknown) return -1;
}
GetCatalogEntry(dirIndex, name, flags, time, finderInfo, infoValid);
if (GetCatalogEntry(dirIndex, name, flags, time, finderInfo, infoValid) != 0) return -1;
if (*dirIndex == 0) *dirIndex = -1;
if ((*flags & kFileTypeMask) == kFileTypeUnknown) return -1;
/* Fill some crucial data structures by side effect. */
dirIndex = 0;
HFSGetDirEntry(ih, "/", &dirIndex, &name, &flags, &time, 0, 0);
if (HFSGetDirEntry(ih, "/", &dirIndex, &name, &flags, &time, 0, 0) != 0) return;
/* Now we can loook up the volume name node. */
nodeSize = SWAP_BE16(gBTHeaders[kBTreeCatalog]->nodeSize);
dirIndex = (long long) firstLeafNode * nodeSize;
GetCatalogEntry(&dirIndex, &name, &flags, &time, 0, 0);
if (GetCatalogEntry(&dirIndex, &name, &flags, &time, 0, 0) != 0) return;
strncpy(str, name, strMaxLen);
str[strMaxLen] = '\0';
nodeSize = SWAP_BE16(gBTHeaders[kBTreeCatalog]->nodeSize);
nodeBuf = (char *)malloc(nodeSize);
if (!nodeBuf)
{
return -1;
}
node = (BTNodeDescriptor *)nodeBuf;
index = (long) (*dirIndex % nodeSize);
curNode = SWAP_BE32(gBTHeaders[btree]->rootNode);
nodeSize = SWAP_BE16(gBTHeaders[btree]->nodeSize);
nodeBuf = (char *)malloc(nodeSize);
if (!nodeBuf)
{
return -1;
}
node = (BTNodeDescriptor *)nodeBuf;
while (1) {
branches/cparm/i386/libsaio/hfs_compare.c
3737
3838
3939
40
41
42
43
44
4045
4146
4247
UncompressStructure(struct compressed_block *bp, int count, int size)
{
unsigned short *out = malloc(size);
if (!out)
{
stop("UncompressStructure unable to allocate memory\n");
return 0;
}
unsigned short *op = out;
unsigned short data;
int i, j;
branches/cparm/i386/libsaio/ufs.c
168168
169169
170170
171
171172
172173
173174
gFragsPerBlock = gBlockSize / gFragSize;
if (gTempBlock != 0) free(gTempBlock);
gTempBlock = malloc(gBlockSize);
if (!gTempBlock) return -1;
CacheInit(ih, gBlockSize);
gCurrentIH = ih;
branches/cparm/i386/libsaio/device_inject.c
352352
353353
354354
355
355
356356
357357
358358
......
372372
373373
374374
375
376
377
378
379
375
376
377
380378
381
382
383
379
380
381
382
383
384
385
384386
385
387
388
389
386390
387
391
388392
389393
390394
const char *val;
uint8_t *binStr;
uint8_t *kbinStr;
EFI_STATUS ret = EFI_DEVICE_ERROR;
int cnt = 0, cnt2 = 0;
static char DEVICE_PROPERTIES_PROP[] = "device-properties";
if (cnt > 1)
{
binStr = convertHexStr2Binary(val, &cnt2);
if (cnt2 > 0)
{
kbinStr = (uint8_t*)AllocateKernelMemory(cnt2);
if (kbinStr)
if (binStr)
{
if (cnt2 > 0)
{
bcopy(binStr,kbinStr,cnt2);
DT__AddProperty(node, DEVICE_PROPERTIES_PROP, cnt2, kbinStr);
return EFI_SUCCESS;
kbinStr = (uint8_t*)AllocateKernelMemory(cnt2);
if (kbinStr)
{
bcopy(binStr,kbinStr,cnt2);
DT__AddProperty(node, DEVICE_PROPERTIES_PROP, cnt2, kbinStr);
ret = EFI_SUCCESS;
}
}
}
free(binStr);
}
}
return EFI_DEVICE_ERROR;
return ret;
}
branches/cparm/i386/libsaio/CoreHash.c
4949
5050
5151
52
52
53
54
55
56
5357
5458
5559
static void CopyVarPtr (struct env_struct *var, void* ptr, size_t size)
{
var->ptr = malloc(size);
memcpy(var->ptr, ptr, size);
if (var->ptr)
{
memcpy(var->ptr, ptr, size);
}
}
static struct env_struct *find_env(const char *name) {
branches/cparm/i386/libsaio/convert.c
9393
9494
9595
96
97
98
99
96
10097
10198
10299
......
132129
133130
134131
135
136
137
138
139
132
133
134
135
136
140137
{
// the resulting binary will be the half size of the input hex string
binStr = malloc(len / 2);
if (!binStr) {
*outLength = 0;
return NULL;
}
if (!binStr) goto out;
binStrIdx = 0;
hexNibbleIdx = 0;
for (hexStrIdx = 0; hexStrIdx < len; hexStrIdx++)
*outLength = binStrIdx;
return binStr;
}
else
{
*outLength = 0;
return NULL;
}
out:
*outLength = 0;
return NULL;
}
branches/cparm/i386/libsaio/fake_efi.c
264264
265265
266266
267
268
267
269268
270
271
272
269
273270
274
275
276
271
272
273
274
275
276
277
278
279
277280
281
278282
279283
280284
if (cnt > 1)
{
binStr = convertHexStr2Binary(val, &cnt2);
if (cnt2 > 0)
if (binStr)
{
kbinStr = (uint8_t*)AllocateKernelMemory(cnt2);
if (kbinStr)
if (cnt2 > 0)
{
bcopy(binStr,kbinStr,cnt2);
DT__AddProperty(node, DEVICE_PROPERTIES_PROP, cnt2, kbinStr);
}
kbinStr = (uint8_t*)AllocateKernelMemory(cnt2);
if (kbinStr)
{
bcopy(binStr,kbinStr,cnt2);
DT__AddProperty(node, DEVICE_PROPERTIES_PROP, cnt2, kbinStr);
}
}
free(binStr);
}
}
}
}
branches/cparm/i386/modules/GUI/picopng.c
7373
7474
7575
76
7677
7778
7879
......
104105
105106
106107
108
107109
108110
109111
......
13471349
13481350
13491351
1352
1353
1354
1355
13501356
13511357
13521358
......
13651371
13661372
13671373
1374
1375
1376
1377
1378
13681379
13691380
13701381
......
13971408
13981409
13991410
1411
1412
1413
1414
1415
14001416
14011417
14021418
if (png_alloc_find_node(addr))
return;
node = malloc(sizeof (png_alloc_node_t));
if (!node) return;
node->addr = addr;
node->size = size;
node->prev = png_alloc_tail;
void *png_alloc_malloc(size_t size)
{
void *addr = malloc(size);
if (!addr) return NULL;
png_alloc_add_node(addr, size);
return addr;
}
goto failed;
}
pngData = malloc(pngSize);
if (!pngData) {
error = -1;
goto failed;
}
if (read(pngFile, (char *) pngData, pngSize) != pngSize) {
error = -1;
goto failed;
goto failed;
}
uint8_t *result = malloc(info->width*4*info->height);
if (!result)
{
error = -1;
goto failed;
}
*width = info->width;
*height = info->height;
memcpy(result, info->image->data, info->width*4*info->height);
goto failed;
}
uint8_t *result = malloc(info->width*4*info->height);
if (!result)
{
error = -1;
goto failed;
}
*width = info->width;
*height = info->height;
memcpy(result, info->image->data, info->width*4*info->height);
branches/cparm/i386/modules/KernelPatcher/kernel_patcher.c
129129
130130
131131
132
133
132134
133135
134136
......
139141
140142
141143
144
145
146
142147
143148
144149
......
153158
154159
155160
161
156162
157163
158164
......
166172
167173
168174
175
176
169177
170178
171179
if(patches == NULL)
{
patches = entry = malloc(sizeof(patchRoutine_t));
if (!entry || !patches) return;
}
else
{
}
entry->next = malloc(sizeof(patchRoutine_t));
if (!entry) return;
entry = entry->next;
}
if(kernelSymbols == NULL)
{
kernelSymbols = malloc(sizeof(kernSymbols_t));
if (!kernelSymbols) return;
kernelSymbols->next = NULL;
kernelSymbols->symbol = (char*)name;
kernelSymbols->addr = 0;
}
symbol->next = malloc(sizeof(kernSymbols_t));
if (!symbol->next) return;
symbol = symbol->next;
symbol->next = NULL;
branches/cparm/i386/modules/HibernateEnabler/bmdecompress.c
4646
4747
4848
49
50
51
4952
5053
5154
......
147150
148151
149152
153
154
155
156
150157
151158
152159
uint16_t * sc1 = malloc((width+2) * sizeof(uint16_t));
uint16_t * sc2 = malloc((width+2) * sizeof(uint16_t));
uint16_t * sc3 = malloc((width+2) * sizeof(uint16_t));
if (!sc0 || !sc1 || !sc2 || !sc3) return;
uint32_t sr0, sr1, sr2, sr3;
bzero(sc0, (width+2) * sizeof(uint16_t));
uint16_t * sc1 = malloc((width+2) * sizeof(uint16_t));
uint16_t * sc2 = malloc((width+2) * sizeof(uint16_t));
uint16_t * sc3 = malloc((width+2) * sizeof(uint16_t));
if (!sc0 || !sc1 || !sc2 || !sc3) return;
uint32_t sr0, sr1, sr2, sr3;
bzero(sc0, (width+2) * sizeof(uint16_t));
branches/cparm/i386/modules/USBFix/usb.c
5757
5858
5959
60
60
6161
6262
6363
current = current->next;
}
current->next = (struct pciList*)malloc(sizeof(struct pciList));
if (!current) {
if (!current->next) {
return;
}
current = current->next;
branches/cparm/i386/util/fdisk/fdisk.c
239239
240240
241241
242
243
244
242245
243246
244247
......
259262
260263
261264
265
262266
263267
264268
}
mbr_binary = (char *)malloc(MBR_CODE_SIZE);
if (!mbr_binary) errx(1, "out of memory");
if ((fd = open(mbrfile, O_RDONLY)) == -1) {
warn("could not open MBR file %s", mbrfile);
bzero(mbr_binary, MBR_CODE_SIZE);
} else if (i_flag) {
/* If they didn't specify -a, they'll get the default auto style */
mp = MBR_alloc(NULL);
if (!mp) errx(1, "out of memory");
if (AUTO_init(&disk, auto_style, mp) != AUTO_OK) {
errx(1, "error initializing disk");
}
branches/cparm/i386/util/fdisk/user.c
156156
157157
158158
159
159160
161
162
160163
161164
162165
......
256259
257260
258261
262
263
259264
260265
261266
/* Read MBR & partition */
mbr = MBR_alloc(NULL);
if (!mbr) errx(1, "out of memory");
fd = DISK_open(disk->name, O_RDONLY);
if (fd == -1)
err(1, "Could not open %s", disk->name);
MBR_read(disk, fd, offset, mbr);
DISK_close(fd);
mbr_t *mbr;
fd = DISK_open(disk->name, O_RDONLY);
if (fd == -1)
err(1, "Could not open %s", disk->name);
/*offset = firstoff = 0;*/
if (!do_dump)
branches/cparm/i386/util/fdisk/mbr.c
237237
238238
239239
240
240241
242
243
241244
242245
243246
......
393396
394397
395398
399
396400
397401
398402
......
446450
447451
448452
453
449454
450455
451456
......
475480
476481
477482
483
484
478485
479486
480487
488
481489
482490
483491
......
511519
512520
513521
522
523
514524
515525
516526
mbr_t *mbrd;
mbrd = MBR_alloc(NULL);
if (!mbr) errx(1, "out of memory");
fd = DISK_open(disk->name, O_RDONLY);
if (fd == -1)
err(1, "Could not open %s", disk->name);
MBR_read(disk, fd, offset, mbrd);
DISK_close(fd);
MBR_parse(disk, offset, reloff, mbrd);
if (mbr == NULL) {
mbr = MBR_alloc(prev_mbr);
if (!mbr) errx(1, "out of memory");
if (head == NULL)
head = mbr;
}
MBR_alloc(mbr_t *parent)
{
mbr_t *mbr = (mbr_t *)malloc(sizeof(mbr_t));
if (!mbr) return NULL;
bzero(mbr, sizeof(mbr_t));
if (parent) {
parent->next = mbr;
int i, fd, offset, firstoff;
fd = DISK_open(disk->name, O_RDONLY);
if (fd == -1)
err(1, "Could not open %s", disk->name);
firstoff = offset = 0;
do {
mbr = MBR_alloc(mbr);
if (!mbr) errx(1, "out of memory");
if (head == NULL) {
head = mbr;
}
int fd;
fd = DISK_open(disk->name, O_RDWR);
if (fd == -1)
err(1, "Could not open %s", disk->name);
while (mbr) {
MBR_make(mbr);
result = MBR_write(disk, fd, mbr);
branches/cparm/i386/util/fdisk/disk.c
167167
168168
169169
170
170
171
172
173
171174
172175
173176
/* Get label metrics */
if ((fd = DISK_open(name, O_RDONLY)) != -1) {
lm = malloc(sizeof(DISK_metrics));
if (!lm) {
err(1, "DISK_getlabelmetrics: Could not allocate memory");
return NULL;
}
if (fstat(fd, &st) == -1)
err(1, "%s", name);
if (!S_ISREG(st.st_mode) || S_ISBLK(st.st_mode)) {

Archive Download the corresponding diff file

Revision: 2121