If idx is too large, segfault can happen. Also cycle is now detected
properly.
Signed-off-by: Jan Friesse <jfriesse@xxxxxxxxxx>
---
tools/corosync-fplay.c | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/tools/corosync-fplay.c b/tools/corosync-fplay.c
index f07e225..a18bbfc 100644
--- a/tools/corosync-fplay.c
+++ b/tools/corosync-fplay.c
@@ -350,6 +350,8 @@ static unsigned int printer_subsys_count =
static uint32_t g_record[G_RECORD_SIZE];
+static int file_rewind = 0;
+
/*
* Copy record, dealing with wrapping
*/
@@ -357,6 +359,11 @@ static int logsys_rec_get (int rec_idx) {
uint32_t rec_size;
int firstcopy, secondcopy;
+ if (rec_idx >= flt_data_size) {
+ fprintf (stderr, "rec_idx too large. Input file is probably corrupted.\n");
+ exit (EXIT_FAILURE);
+ }
+
rec_size = flt_data[rec_idx];
firstcopy = rec_size;
@@ -373,6 +380,12 @@ static int logsys_rec_get (int rec_idx) {
}
if (firstcopy + rec_idx > flt_data_size) {
+ if (file_rewind) {
+ fprintf (stderr, "file rewind for second time (cycle). Input file is probably corrupted.\n");
+ exit (EXIT_FAILURE);
+ }
+
+ file_rewind = 1;
firstcopy = flt_data_size - rec_idx;
secondcopy -= firstcopy - rec_size;
}
--
1.7.1
_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss
