author | erik <erik> | 2007-01-26 20:26:25 (UTC) |
---|---|---|
committer | erik <erik> | 2007-01-26 20:26:25 (UTC) |
commit | 4688f98202f590ec6af6c2e66a49dd2f80536083 (patch) (side-by-side diff) | |
tree | 326c92aef3382b804d51aa9a66f4148ebc91860b | |
parent | cc5b326a212414a612838b0041e6077477ebbc70 (diff) | |
download | opie-4688f98202f590ec6af6c2e66a49dd2f80536083.zip opie-4688f98202f590ec6af6c2e66a49dd2f80536083.tar.gz opie-4688f98202f590ec6af6c2e66a49dd2f80536083.tar.bz2 |
The Expand call does not check for null termination of the URL strings
that it is expanding. Since strlen() is used with the URLs after Expand
is used, it is good idea to make sure that Expand terminates the strings.
This commit changes that so that the URL strings are guaranteed to be
terminated after expansion.
-rw-r--r-- | noncore/apps/opie-reader/plucker_base.cpp | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/noncore/apps/opie-reader/plucker_base.cpp b/noncore/apps/opie-reader/plucker_base.cpp index 81614f5..849edfc 100644 --- a/noncore/apps/opie-reader/plucker_base.cpp +++ b/noncore/apps/opie-reader/plucker_base.cpp @@ -1,191 +1,193 @@ #include <stdio.h> #include <string.h> #include <qmessagebox.h> #include <qpixmap.h> #ifdef USEQPE #include <qpe/qcopenvelope_qws.h> #endif /* USEQPE */ #ifdef LOCALPICTURES #include <qscrollview.h> #endif #ifdef USEQPE #include <qpe/global.h> #endif /* USEQPE */ #include <qclipboard.h> #ifndef USEQPE #include <qapplication.h> #else /* USEQPE */ #include <qpe/qpeapplication.h> #endif /* USEQPE */ #include <qimage.h> #include "plucker_base.h" #include "Aportis.h" #include "hrule.h" #include "decompress.h" const UInt8 CPlucker_base::continuation_bit = 1; CPlucker_base::CPlucker_base() : #ifdef LOCALPICTURES m_viewer(NULL), m_picture(NULL), #endif expandedtextbuffer(NULL), compressedtextbuffer(NULL), bufferrec(-1), m_offset(0) //, urls(NULL) { /*printf("constructing:%x\n",fin);*/ } void CPlucker_base::Expand(UInt32 reclen, UInt8 type, UInt8* buffer, UInt32 buffersize) { unsuspend(); if ((type%2 == 0) && (type != 14)) { - fread(buffer, reclen, sizeof(char), fin); + size_t bytes_read = fread(buffer, reclen, sizeof(char), fin); + buffer[bytes_read] = '\0'; } else { UInt8* readbuffer = NULL; if (reclen > compressedbuffersize) { readbuffer = new UInt8[reclen]; } else { readbuffer = compressedtextbuffer; } if (readbuffer != NULL) { fread(readbuffer, reclen, sizeof(char), fin); - (*m_decompress)(readbuffer, reclen, buffer, buffersize); + size_t bytes_read = (*m_decompress)(readbuffer, reclen, buffer, buffersize); + buffer[bytes_read] = '\0'; if (reclen > compressedbuffersize) { delete [] readbuffer; } } } } void CPlucker_base::sizes(unsigned long& _file, unsigned long& _text) { _file = file_length; if (textlength == 0) { for (int recptr = 1; recptr < ntohs(head.recordList.numRecords); recptr++) { gotorecordnumber(recptr); UInt16 thishdr_uid, thishdr_nParagraphs; UInt32 thishdr_size; UInt8 thishdr_type, thishdr_reserved; GetHeader(thishdr_uid, thishdr_nParagraphs, thishdr_size, thishdr_type, thishdr_reserved); if (thishdr_type < 2) textlength += thishdr_size; } } _text = textlength; //ntohl(hdr0.size); } char* CPlucker_base::geturl(UInt16 tgt) { char * pRet = NULL; gotorecordnumber(0); fread(&hdr0, 1, 6, fin); unsigned int nrecs = ntohs(hdr0.nRecords); //qDebug("Version %u, no. recs %u", ntohs(hdr0.version), nrecs); UInt16 urlid = 0; bool urlsfound = false; char* urls = NULL; size_t urlsize = 0; for (unsigned int i = 0; i < nrecs; i++) { UInt16 id, name; fread(&name, 1, sizeof(name), fin); fread(&id, 1, sizeof(id), fin); //qDebug("N:%d, I:%d", ntohs(name), ntohs(id)); if (ntohs(name) == 2) { urlsfound = true; urlid = id; //qDebug("Found url index:%d", ntohs(urlid)); } // //qDebug("%x", id); } if (urlsfound) { unsigned short recptr = finduid(ntohs(urlid)); if (recptr != 0) { gotorecordnumber(recptr); UInt16 thishdr_uid, thishdr_nParagraphs; UInt32 thishdr_size; UInt8 thishdr_type, thishdr_reserved; GetHeader(thishdr_uid, thishdr_nParagraphs, thishdr_size, thishdr_type, thishdr_reserved); UInt16 urlctr = 0; while (1) { UInt16 tctr; fread(&tctr, 1, sizeof(tctr), fin); fread(&urlid, 1, sizeof(urlid), fin); tctr = ntohs(tctr); //qDebug("tgt:%u urlctr:%u tctr:%u", tgt, urlctr, tctr); if (tctr >= tgt) { break; } urlctr = tctr; } //qDebug("urls are in %d", ntohs(urlid)); recptr = finduid(ntohs(urlid)); if (recptr != 0) { UInt32 reclen = recordlength(recptr) - HeaderSize(); gotorecordnumber(recptr); GetHeader(thishdr_uid, thishdr_nParagraphs, thishdr_size, thishdr_type, thishdr_reserved); //qDebug("Found urls:%x",thishdr_type); urlsize = thishdr_size; urls = new char[urlsize]; Expand(reclen, thishdr_type, (UInt8*)urls, urlsize); char* ptr = urls; int rn = urlctr+1; while (ptr - urls < urlsize) { if (rn == tgt) { //qDebug("URL:%s", ptr); int len = strlen(ptr)+1; pRet = new char[len]; memcpy(pRet, ptr, len); break; } ptr += strlen(ptr)+1; rn++; } delete [] urls; } } } else { pRet = NULL; } return pRet; } CPlucker_base::~CPlucker_base() { if (expandedtextbuffer != NULL) delete [] expandedtextbuffer; if (compressedtextbuffer != NULL) delete [] compressedtextbuffer; #ifdef LOCALPICTURES if (m_viewer != NULL) delete m_viewer; #endif } int CPlucker_base::getch() { return getch(false); } void CPlucker_base::getch(tchar& ch, CStyle& sty, unsigned long& pos) { pos = locate(); ch = getch(false); |