diff options
author | iain <iain@linux.intel.com> | 2011-08-16 12:33:50 +0100 |
---|---|---|
committer | iain <iain@linux.intel.com> | 2011-08-16 12:33:50 +0100 |
commit | 517cf8448eddf98e0baf0177e8a5e5c7888366ab (patch) | |
tree | 99bd991d93f6d427a07aad6b0781a96643fb8e94 | |
parent | b6fdb840d4ae2406c8866c25182feea9e065a10e (diff) |
Fix a memory corruption issue when parsing NMEA sentences
We assumed that if there was a \r in the buffer, then there must also be a \n.
if the \r was the final character in the buffer there there would not be a \n
so adding 2 to the sentence length would cause an invalid read off the end of
the buffer, and by making chars_in_buffer equal -1 an invalid write by
underflowing the buffer, scribbling over the address of ctxt. Which then caused
a crash.
-rw-r--r-- | src/gypsy-nmea-parser.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/gypsy-nmea-parser.c b/src/gypsy-nmea-parser.c index 561a5db..cab86ce 100644 --- a/src/gypsy-nmea-parser.c +++ b/src/gypsy-nmea-parser.c @@ -113,6 +113,13 @@ gypsy_nmea_parser_received_data (GypsyParser *parser, int sentence_length; /* Account for <LF> */ sentence_length = (eos - priv->sentence) + 2; + + if (*(eos + 1) == '\n') { + sentence_length += 2; + } else { + sentence_length += 1; + } + if (sentence_length > 1) { /* terminate the string at the <CR> */ *eos = '\0'; |