diff options
| author | Víctor Manuel Jáquez Leal <vjaquez@igalia.com> | 2018-07-13 14:07:49 +0200 |
|---|---|---|
| committer | XinfengZhang <carl.zhang@intel.com> | 2018-12-19 19:45:09 -0800 |
| commit | 8e890e3a0a5c91ba921d9fbedc532c596ff46dd1 (patch) | |
| tree | 8ef1ec9fc9843edb7344e8a3e868fb792e8e66c9 | |
| parent | f804f0ec3a9c06065ec194c0d888039a6083e6c1 (diff) | |
| download | libva-8e890e3a0a5c91ba921d9fbedc532c596ff46dd1.tar.gz | |
av: avoid driver path truncation
Using strncat() and strncpy() may lead to string truncation, which
might generate other issues.
This patch replaces the usage of strncat() and strncpy() to generate
the driver path, with snprintf() safetly.
See more information here:
https://developers.redhat.com/blog/2018/05/24/detecting-string-truncation-with-gcc-8/
| -rw-r--r-- | va/va.c | 26 |
1 files changed, 18 insertions, 8 deletions
@@ -349,6 +349,23 @@ static VAStatus va_getDriverName(VADisplay dpy, char **driver_name) return pDisplayContext->vaGetDriverName(pDisplayContext, driver_name); } +static char *va_getDriverPath(const char *driver_dir, const char *driver_name) +{ + int n = snprintf(0, 0, "%s/%s%s", driver_dir, driver_name, DRIVER_EXTENSION); + if (n < 0) + return NULL; + char *driver_path = (char *) malloc(n + 1); + if (!driver_path) + return NULL; + n = snprintf(driver_path, n + 1, "%s/%s%s", + driver_dir, driver_name, DRIVER_EXTENSION); + if (n < 0) { + free(driver_path); + return NULL; + } + return driver_path; +} + static VAStatus va_openDriver(VADisplay dpy, char *driver_name) { VADriverContextP ctx = CTX(dpy); @@ -367,9 +384,7 @@ static VAStatus va_openDriver(VADisplay dpy, char *driver_name) driver_dir = strtok_r(search_path, ":", &saveptr); while (driver_dir) { void *handle = NULL; - char *driver_path = (char *) malloc( strlen(driver_dir) + - strlen(driver_name) + - strlen(DRIVER_EXTENSION) + 2 ); + char *driver_path = va_getDriverPath(driver_dir, driver_name); if (!driver_path) { va_errorMessage(dpy, "%s L%d Out of memory!n", __FUNCTION__, __LINE__); @@ -377,11 +392,6 @@ static VAStatus va_openDriver(VADisplay dpy, char *driver_name) return VA_STATUS_ERROR_ALLOCATION_FAILED; } - strncpy( driver_path, driver_dir, strlen(driver_dir) + 1); - strncat( driver_path, "/", strlen("/") ); - strncat( driver_path, driver_name, strlen(driver_name) ); - strncat( driver_path, DRIVER_EXTENSION, strlen(DRIVER_EXTENSION) ); - va_infoMessage(dpy, "Trying to open %s\n", driver_path); #ifndef ANDROID handle = dlopen( driver_path, RTLD_NOW | RTLD_GLOBAL | RTLD_NODELETE ); |