amdfwtool: Copy string in a safer way
The issue is reported by Coverity. Using strcpy or strcat copying string without checking length may cause overflow. BUG=b:188769921 Reported-by: Coverity (CID:1438964) Change-Id: I609d9ce405d01c57b1847a6310630ea0341e13be Signed-off-by: Zheng Bao <fishbaozi@gmail.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/54946 Reviewed-by: Felix Held <felix-coreboot@felixheld.de> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This commit is contained in:
parent
fd2982ec8a
commit
dac446165e
|
@ -5,6 +5,7 @@
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
|
#include <assert.h>
|
||||||
|
|
||||||
#include "amdfwtool.h"
|
#include "amdfwtool.h"
|
||||||
|
|
||||||
|
@ -410,6 +411,7 @@ uint8_t process_config(FILE *config, amd_cb_config *cb_config, uint8_t print_dep
|
||||||
char oneline[MAX_LINE_SIZE], *path_filename;
|
char oneline[MAX_LINE_SIZE], *path_filename;
|
||||||
regmatch_t match[N_MATCHES];
|
regmatch_t match[N_MATCHES];
|
||||||
char dir[MAX_LINE_SIZE] = {'\0'};
|
char dir[MAX_LINE_SIZE] = {'\0'};
|
||||||
|
uint32_t dir_len;
|
||||||
|
|
||||||
compile_reg_expr(REG_EXTENDED | REG_NEWLINE,
|
compile_reg_expr(REG_EXTENDED | REG_NEWLINE,
|
||||||
blank_or_comment_regex, &blank_or_comment_expr);
|
blank_or_comment_regex, &blank_or_comment_expr);
|
||||||
|
@ -424,7 +426,10 @@ uint8_t process_config(FILE *config, amd_cb_config *cb_config, uint8_t print_dep
|
||||||
continue;
|
continue;
|
||||||
if (is_valid_entry(oneline, match)) {
|
if (is_valid_entry(oneline, match)) {
|
||||||
if (strcmp(&(oneline[match[1].rm_so]), "FIRMWARE_LOCATION") == 0) {
|
if (strcmp(&(oneline[match[1].rm_so]), "FIRMWARE_LOCATION") == 0) {
|
||||||
strcpy(dir, &(oneline[match[2].rm_so]));
|
dir_len = match[2].rm_eo - match[2].rm_so;
|
||||||
|
assert(dir_len < MAX_LINE_SIZE);
|
||||||
|
snprintf(dir, MAX_LINE_SIZE, "%.*s", dir_len,
|
||||||
|
&(oneline[match[2].rm_so]));
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -445,10 +450,10 @@ uint8_t process_config(FILE *config, amd_cb_config *cb_config, uint8_t print_dep
|
||||||
if (strcmp(&(oneline[match[1].rm_so]), "FIRMWARE_LOCATION") == 0) {
|
if (strcmp(&(oneline[match[1].rm_so]), "FIRMWARE_LOCATION") == 0) {
|
||||||
continue;
|
continue;
|
||||||
} else {
|
} else {
|
||||||
path_filename = malloc(MAX_LINE_SIZE);
|
path_filename = malloc(MAX_LINE_SIZE * 2 + 2);
|
||||||
strcpy(path_filename, dir);
|
snprintf(path_filename, MAX_LINE_SIZE * 2 + 2, "%.*s/%.*s",
|
||||||
strcat(path_filename, "/");
|
MAX_LINE_SIZE, dir, MAX_LINE_SIZE,
|
||||||
strcat(path_filename, &(oneline[match[2].rm_so]));
|
&(oneline[match[2].rm_so]));
|
||||||
|
|
||||||
if (find_register_fw_filename_psp_dir(
|
if (find_register_fw_filename_psp_dir(
|
||||||
&(oneline[match[1].rm_so]),
|
&(oneline[match[1].rm_so]),
|
||||||
|
|
Loading…
Reference in New Issue