The Mayhem Team found a crash caused by a nullptr. Details are here: http://www.forallsecure.com/bug-reports/567323cd26f180910beb03ae26afb40c432a0c6a/ Signed-off-by: Gregor Jasny <gjasny@xxxxxxxxxxxxxx> --- utils/keytable/keytable.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/utils/keytable/keytable.c b/utils/keytable/keytable.c index 06b3d95..8bcd5c4 100644 --- a/utils/keytable/keytable.c +++ b/utils/keytable/keytable.c @@ -207,13 +207,19 @@ static error_t parse_keyfile(char *fname, char **table) p++; p = strtok(p, "\n\t =:"); do { + if (!p) + goto err_einval; if (!strcmp(p, "table")) { p = strtok(NULL,"\n, "); + if (!p) + goto err_einval; *table = malloc(strlen(p) + 1); strcpy(*table, p); } else if (!strcmp(p, "type")) { p = strtok(NULL, " ,\n"); do { + if (!p) + goto err_einval; if (!strcasecmp(p,"rc5") || !strcasecmp(p,"rc-5")) ch_proto |= RC_5; else if (!strcasecmp(p,"rc6") || !strcasecmp(p,"rc-6")) @@ -447,6 +453,8 @@ static error_t parse_opt(int k, char *arg, struct argp_state *state) case 'p': p = strtok(arg, ",;"); do { + if (!p) + goto err_inval; if (!strcasecmp(p,"rc5") || !strcasecmp(p,"rc-5")) ch_proto |= RC_5; else if (!strcasecmp(p,"rc6") || !strcasecmp(p,"rc-6")) @@ -813,14 +821,19 @@ static int v1_get_sw_enabled_protocol(char *dirname) return 0; } - p = strtok(buf, " \n"); - rc = atoi(p); - if (fclose(fp)) { perror(name); return errno; } + p = strtok(buf, " \n"); + if (!p) { + fprintf(stderr, "%s has invalid content: '%s'\n", name, buf); + return 0; + } + + rc = atoi(p); + if (debug) fprintf(stderr, "protocol %s is %s\n", name, rc? "enabled" : "disabled"); -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
