additional length >= size checks

Messenger.c: - additional size checks - removed one pointless copying of data, instead using it directly util.c: - lost a newline vs. master
2024-03-22 13:30:51 +08:00 · 2013-09-16 09:40:47 +02:00 · 2013-09-16 09:40:47 +02:00 · a069f67ab3
commit a069f67ab3
parent 57d10f0a80
2 changed files with 13 additions and 11 deletions
--- a/toxcore/Messenger.c
+++ b/toxcore/Messenger.c
@ -1393,6 +1393,9 @@ static int Messenger_load_old(Messenger *m, uint8_t *data, uint32_t length)
    length -= sizeof(nospam);

    uint32_t size;
+    if (length < sizeof(size))
+        return -1;
+
    memcpy(&size, data, sizeof(size));
    data += sizeof(size);
    length -= sizeof(size);
@ -1419,24 +1422,22 @@ static int Messenger_load_old(Messenger *m, uint8_t *data, uint32_t length)

    if (!(size % sizeof(Friend))) {
        uint16_t num = size / sizeof(Friend);
-        Friend temp[num];
-        memcpy(temp, data, size);
+        Friend *friend_list = (Friend *)data;

        uint32_t i;
-
        for (i = 0; i < num; ++i) {
-            if (temp[i].status >= 3) {
-                int fnum = m_addfriend_norequest(m, temp[i].client_id);
-                setfriendname(m, fnum, temp[i].name, temp[i].name_length);
+            if (friend_list[i].status >= 3) {
+                int fnum = m_addfriend_norequest(m, friend_list[i].client_id);
+                setfriendname(m, fnum, friend_list[i].name, friend_list[i].name_length);
                /* set_friend_statusmessage(fnum, temp[i].statusmessage, temp[i].statusmessage_length); */
-            } else if (temp[i].status != 0) {
+            } else if (friend_list[i].status != 0) {
                /* TODO: This is not a good way to do this. */
                uint8_t address[FRIEND_ADDRESS_SIZE];
-                memcpy(address, temp[i].client_id, crypto_box_PUBLICKEYBYTES);
-                memcpy(address + crypto_box_PUBLICKEYBYTES, &(temp[i].friendrequest_nospam), sizeof(uint32_t));
+                memcpy(address, friend_list[i].client_id, crypto_box_PUBLICKEYBYTES);
+                memcpy(address + crypto_box_PUBLICKEYBYTES, &(friend_list[i].friendrequest_nospam), sizeof(uint32_t));
                uint16_t checksum = address_checksum(address, FRIEND_ADDRESS_SIZE - sizeof(checksum));
                memcpy(address + crypto_box_PUBLICKEYBYTES + sizeof(uint32_t), &checksum, sizeof(checksum));
-                m_addfriend(m, address, temp[i].info, temp[i].info_size);
+                m_addfriend(m, address, friend_list[i].info, friend_list[i].info_size);
            }
        }
    }
@ -1453,7 +1454,7 @@ static int Messenger_load_old(Messenger *m, uint8_t *data, uint32_t length)
    data += sizeof(small_size);
    length -= sizeof(small_size);

-    if (length != small_size)
+    if (length < small_size)
        return -1;

    setname(m, data, small_size);
--- a/toxcore/util.c
+++ b/toxcore/util.c
@ -13,6 +13,7 @@

 /* for CLIENT_ID_SIZE */
 #include "DHT.h"
+
 #include "util.h"

 uint64_t now()