Overview

File gypsy-CVE-2011-0524.patch of Package gypsy

From 03932804cd4b8e5a79c483fb05c82743f5ee93a2 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Wed, 12 Oct 2011 12:15:44 +0100
Subject: [PATCH] Prevent buffer overflows in NMEA parsing

By using snprintf() instead of sprintf.

https://bugs.freedesktop.org/show_bug.cgi?id=33431
---
 src/nmea-gen.c |   61 ++++++++++++++++++++++++++++---------------------------
 1 files changed, 31 insertions(+), 30 deletions(-)

diff --git a/src/nmea-gen.c b/src/nmea-gen.c
index a8c2483..c52f925 100644
--- a/src/nmea-gen.c
+++ b/src/nmea-gen.c
@@ -54,6 +54,7 @@
 #include "nmea-gen.h"
 
 #define NMEA_BUF_SIZE		256
+#define NMEASTC_BUF_SIZE	256
 #define NMEA_LATLON_SIZE	16
 #define NMEA_UTC_SIZE		16
 
@@ -121,7 +122,7 @@ void nmea_getutc(D800_Pvt_Data_Type *pvt, char *utctime, char *utcdate) {
 		h = tmp / 3600;
 		m = (tmp - h*3600) / 60;
 		s = (tmp - h*3600 - m*60);
-		sprintf(utctime, "%02d%02d%02d", h, m, s);
+		snprintf(utctime, NMEA_UTC_SIZE, "%02d%02d%02d", h, m, s);
 	}
 
 	if (utcdate) {
@@ -149,7 +150,7 @@ void nmea_getutc(D800_Pvt_Data_Type *pvt, char *utctime, char *utcdate) {
 
 		year -= 2000;
 
-		sprintf(utcdate, "%02d%02d%02d", day, month, year);
+		snprintf(utcdate, NMEA_UTC_SIZE, "%02d%02d%02d", day, month, year);
 	}
 }
 
@@ -157,16 +158,16 @@ void nmea_fmtlat(double lat, char *latstr) {
 	double	latdeg, tmp;
 	latdeg = rad2deg(fabs(lat));
 	tmp = floor(latdeg);
-	sprintf(latstr, "%02d%07.4f,%c", (int)tmp, (latdeg - tmp) * 60,
-		(lat >= 0) ? 'N' : 'S');
+	snprintf(latstr, NMEA_LATLON_SIZE, "%02d%07.4f,%c", (int)tmp, (latdeg - tmp) * 60,
+		 (lat >= 0) ? 'N' : 'S');
 }
 
 void nmea_fmtlon(double lon, char *lonstr) {
 	double	londeg, tmp;
 	londeg = rad2deg(fabs(lon));
 	tmp = floor(londeg);
-	sprintf(lonstr, "%03d%07.4f,%c", (int)tmp, (londeg - tmp) * 60,
-		(lon >= 0) ? 'E' : 'W');
+	snprintf(lonstr, NMEA_LATLON_SIZE, "%03d%07.4f,%c", (int)tmp, (londeg - tmp) * 60,
+		 (lon >= 0) ? 'E' : 'W');
 }
 
 /*
@@ -216,12 +217,12 @@ int nmea_gpgga(D800_Pvt_Data_Type *pvt, cpo_sat_data *sat, char *nmeastc) {
 		}
 	}
 
-	sprintf(buf, "GPGGA,%s,%s,%s,%d,%02d,,%.1f,M,%.1f,M,,", utc, slat, slon, fix, nsat,
-		pvt->msl_hght + pvt->alt, -pvt->msl_hght);
+	snprintf(buf, NMEA_BUF_SIZE, "GPGGA,%s,%s,%s,%d,%02d,,%.1f,M,%.1f,M,,", utc, slat, slon, fix, nsat,
+		 pvt->msl_hght + pvt->alt, -pvt->msl_hght);
 
 	cksum = nmea_cksum(buf);
 
-	sprintf(nmeastc, "$%s*%02X\r\n", buf, cksum);
+	snprintf(nmeastc, NMEASTC_BUF_SIZE, "$%s*%02X\r\n", buf, cksum);
 
 	return 0;
 }
@@ -268,13 +269,13 @@ int nmea_gprmc(D800_Pvt_Data_Type *pvt, char *nmeastc) {
 		g_lastcourse = course;	/* remember for later */
 	}
 
-	sprintf(buf, "GPRMC,%s,%c,%s,%s,%05.1f,%05.1f,%s,,", utctime,
-		(pvt->fix >= 2 && pvt->fix <= 5) ? 'A' : 'V',
-		slat, slon, speed, course, utcdate);
+	snprintf(buf, NMEA_BUF_SIZE, "GPRMC,%s,%c,%s,%s,%05.1f,%05.1f,%s,,", utctime,
+		 (pvt->fix >= 2 && pvt->fix <= 5) ? 'A' : 'V',
+		 slat, slon, speed, course, utcdate);
 
 	cksum = nmea_cksum(buf);
 
-	sprintf(nmeastc, "$%s*%02X\r\n", buf, cksum);
+	snprintf(nmeastc, NMEASTC_BUF_SIZE, "$%s*%02X\r\n", buf, cksum);
 
 	return 0;
 }
@@ -298,12 +299,12 @@ int nmea_gpgll(D800_Pvt_Data_Type *pvt, char *nmeastc) {
 	/* longitude */
 	nmea_fmtlon(pvt->lon, slon);
 
-	sprintf(buf, "GPGLL,%s,%s,%s,%c", slat, slon, utctime,
-		(pvt->fix >= 2 && pvt->fix <= 5) ? 'A' : 'V');
+	snprintf(buf, NMEA_BUF_SIZE, "GPGLL,%s,%s,%s,%c", slat, slon, utctime,
+		 (pvt->fix >= 2 && pvt->fix <= 5) ? 'A' : 'V');
 
 	cksum = nmea_cksum(buf);
 
-	sprintf(nmeastc, "$%s*%02X\r\n", buf, cksum);
+	snprintf(nmeastc, NMEASTC_BUF_SIZE, "$%s*%02X\r\n", buf, cksum);
 
 	return 0;
 }
@@ -334,7 +335,7 @@ int nmea_gpgsa(D800_Pvt_Data_Type *pvt, cpo_sat_data *sat, char *nmeastc) {
 		fprintf(stderr, "WARNING: unknown fix type %d\n", pvt->fix);
 	}
 
-	sprintf(buf, "GPGSA,A,%d", fix);
+	snprintf(buf, NMEA_BUF_SIZE, "GPGSA,A,%d", fix);
 
 	if (sat != NULL) {
 		for (i = 0; i < SAT_MAX_COUNT; i++) {
@@ -343,7 +344,7 @@ int nmea_gpgsa(D800_Pvt_Data_Type *pvt, cpo_sat_data *sat, char *nmeastc) {
 #ifdef DEBUG
 				g_debug ("%s:     using sat %2d", __FUNCTION__, sat[i].svid);
 #endif
-				sprintf(buf+strlen(buf), ",%02d", sat[i].svid);
+				snprintf(buf+strlen(buf), NMEA_BUF_SIZE - strlen(buf), ",%02d", sat[i].svid);
 				nsat++;
 			}
 			else
@@ -362,10 +363,10 @@ int nmea_gpgsa(D800_Pvt_Data_Type *pvt, cpo_sat_data *sat, char *nmeastc) {
 		strcat(buf, ",,,,,,,,,,,,");
 	}
 
-	sprintf(buf+strlen(buf), ",,,");	// this should be DOP info
+	snprintf(buf+strlen(buf), NMEA_BUF_SIZE - strlen(buf),",,,");	// this should be DOP info
 
 	cksum = nmea_cksum(buf);
-	sprintf(nmeastc, "$%s*%02X\r\n", buf, cksum);
+	snprintf(nmeastc, NMEASTC_BUF_SIZE, "$%s*%02X\r\n", buf, cksum);
 
 	return 0;
 }
@@ -386,9 +387,9 @@ int nmea_gpgsv(cpo_sat_data *sat, char *nmeastc) {
 	int		nsat, i, nout, msgi;
 
 	if (sat == NULL) {
-		sprintf(buf, "GPGSV,1,1,00");
+		snprintf(buf, NMEA_BUF_SIZE, "GPGSV,1,1,00");
 		cksum = nmea_cksum(buf);
-		sprintf(nmeastc, "$%s*%02X\r\n", buf, cksum);
+		snprintf(nmeastc, NMEASTC_BUF_SIZE, "$%s*%02X\r\n", buf, cksum);
 		return 0;
 	}
 
@@ -417,15 +418,15 @@ int nmea_gpgsv(cpo_sat_data *sat, char *nmeastc) {
 
 	if (nsat == 0) {
 		/* build a 'null' GPGSV string */
-		sprintf(buf, "GPGSV,1,1,00");
+		snprintf(buf, NMEA_BUF_SIZE, "GPGSV,1,1,00");
 		cksum = nmea_cksum(buf);
-		sprintf(nmeastc, "$%s*%02X\r\n", buf, cksum);
+		snprintf(nmeastc, NMEASTC_BUF_SIZE, "$%s*%02X\r\n", buf, cksum);
 	} else {
 		/* scan the array again and build the GPGSV string(s) of active sats */
 		nout = 0;
 		msgi = 1;
 		nmeastc[0] = 0;
-		sprintf(buf, "GPGSV,%d,%d,%02d", (nsat-1)/4+1, msgi, nsat);
+		snprintf(buf, NMEA_BUF_SIZE, "GPGSV,%d,%d,%02d", (nsat-1)/4+1, msgi, nsat);
 		for (i = 0; i < SAT_MAX_COUNT; i++) {
 			if (((sat[i].status & SAT_STATUS_MASK) == SAT_STATUS_GOOD) && (sat[i].svid <= MAX_SAT_SVID)) {
 				int snr;
@@ -435,24 +436,24 @@ int nmea_gpgsv(cpo_sat_data *sat, char *nmeastc) {
 //				else
 					snr = sat[i].snr/100;	/* empirically, this seems to be the correct factor */
 
-				sprintf(buf+strlen(buf), ",%02d,%02d,%03d,%02d",
-					sat[i].svid, sat[i].elev, sat[i].azmth, snr);
+				snprintf(buf+strlen(buf), NMEA_BUF_SIZE - strlen(buf), ",%02d,%02d,%03d,%02d",
+					 sat[i].svid, sat[i].elev, sat[i].azmth, snr);
 				nout++;
 
 				/* if we have accumulated a group of 4 sats, write out the string */
 				if (nout == 4) {
 					cksum = nmea_cksum(buf);
-					sprintf(nmeastc+strlen(nmeastc), "$%s*%02X\r\n", buf, cksum);
+					snprintf(nmeastc+strlen(nmeastc), NMEASTC_BUF_SIZE - strlen(nmeastc), "$%s*%02X\r\n", buf, cksum);
 					msgi++;
 					nout = 0;
-					sprintf(buf, "GPGSV,%d,%d,%02d", (nsat-1)/4+1, msgi, nsat);
+					snprintf(buf, NMEA_BUF_SIZE, "GPGSV,%d,%d,%02d", (nsat-1)/4+1, msgi, nsat);
 				}
 			}
 		}
 
 		if (nout != 0) {
 			cksum = nmea_cksum(buf);
-			sprintf(nmeastc+strlen(nmeastc), "$%s*%02X\r\n", buf, cksum);
+			snprintf(nmeastc+strlen(nmeastc), NMEASTC_BUF_SIZE - strlen(nmeastc), "$%s*%02X\r\n", buf, cksum);
 		}
 	}
 
-- 
1.7.6.2
openSUSE Build Service is sponsored by
Places