FlapJackApps/libdc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

garmin: fix file length header parsing

Browse Source 
Oops.  I used array_uint16_le() to get the data size.  Too much
copy-and-paste from the profile version (which is indeed 16 bits).

The data size is a 32-bit entity, and this would truncate the data we
read.

Also, verify that there is space for the final CRC in the file, even if
we don't actually check it.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Linus Torvalds 2018-08-28 17:26:48 -07:00
parent bc2ba57302
commit 6d53e31cba
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/garmin_parser.c
View File

@ -363,6 +363,7 @@ static int traverse_regular(struct garmin_parser_t *garmin,
ERROR(garmin->base.context, "Unknown base type %d\n", base_type);
data += size;
len -= size;
total_len += size;
continue;
}
base_size = base_size_array[base_type];
@ -522,10 +523,10 @@ static int traverse_data(struct garmin_parser_t *garmin)
hdrsize = data[0];
protocol = data[1];
profile = array_uint16_le(data+2);
datasize = array_uint16_le(data+4);
datasize = array_uint32_le(data+4);
if (memcmp(data+8, ".FIT", 4))
return -1;
if (hdrsize < 12 || datasize > len || datasize + hdrsize > len)
if (hdrsize < 12 || datasize > len || datasize + hdrsize + 2 > len)
return -1;
garmin->cache.protocol = protocol;