From fc34d67dc7f4f322d5ded5291ecaebdf324aa193 Mon Sep 17 00:00:00 2001 From: Alessandro Ros Date: Thu, 17 Oct 2024 14:14:55 +0200 Subject: [PATCH] fix segfault when using invalid ROI or AfWindow parameters (#27) --- parameters.c | 19 ++++++++----------- window.c | 11 ++++++++--- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/parameters.c b/parameters.c index daddec7..68dfc8b 100644 --- a/parameters.c +++ b/parameters.c @@ -24,16 +24,13 @@ const char *parameters_get_error() { bool parameters_unserialize(parameters_t *params, const uint8_t *buf, size_t buf_size) { memset(params, 0, sizeof(parameters_t)); - char *tmp = malloc(buf_size + 1); - memcpy(tmp, buf, buf_size); - tmp[buf_size] = 0x00; - - while (true) { - char *entry = strsep(&tmp, " "); - if (entry == NULL) { - break; - } + char *copy = malloc(buf_size + 1); + memcpy(copy, buf, buf_size); + copy[buf_size] = 0x00; + char *ptr = copy; + char *entry; + while ((entry = strsep(&ptr, " ")) != NULL) { char *key = strsep(&entry, ":"); char *val = strsep(&entry, ":"); @@ -160,7 +157,7 @@ bool parameters_unserialize(parameters_t *params, const uint8_t *buf, size_t buf } } - free(tmp); + free(copy); params->buffer_count = 6; params->capture_buffer_count = params->buffer_count * 2; @@ -168,7 +165,7 @@ bool parameters_unserialize(parameters_t *params, const uint8_t *buf, size_t buf return true; failed: - free(tmp); + free(copy); parameters_destroy(params); return false; diff --git a/window.c b/window.c index 83e6535..7b34903 100644 --- a/window.c +++ b/window.c @@ -4,19 +4,24 @@ #include "window.h" bool window_load(const char *encoded, window_t *window) { + char *copy = strdup(encoded); float vals[4]; int i = 0; - char *token = strtok((char *)encoded, ","); - while (token != NULL) { + char *ptr = copy; + char *token; + + while ((token = strsep(&ptr, ",")) != NULL) { vals[i] = atof(token); if (vals[i] < 0 || vals[i] > 1) { + free(copy); return false; } i++; - token = strtok(NULL, ","); } + free(copy); + if (i != 4) { return false; }