Roman I Khimov:

If cdf_count_chain() is called with sid < 0, then we end up returning
zero length, which in turn leads to calloc() calls for 0 bytes in
cdf_read_long_sector_chain(), cdf_read_short_sector_chain() and
cdf_read_ssat(). Depending on calloc() implementation we can end
up returning -1 or 0 from those. As negative sid is probably wrong
case anyway, it might be better to always return -1.
Issue found by clang static analysis.

diff --git a/src/cdf.c b/src/cdf.c
index b9606fb185c9e790a621d3528c194b164a9c0d12..7251167086c43d4a682f5dc2b435811e7c85249a 100644 (file)
--- a/src/cdf.c
+++ b/src/cdf.c
@@ -35,7 +35,7 @@
 #include "file.h"
 
 #ifndef lint
-FILE_RCSID("@(#)$File: cdf.c,v 1.57 2014/05/06 18:20:39 christos Exp $")
+FILE_RCSID("@(#)$File: cdf.c,v 1.58 2014/05/13 16:41:06 christos Exp $")
 #endif
 
 #include <assert.h>
@@ -472,6 +472,11 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
                }
                sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]);
        }
+       if (i == 0) {
+               DPRINTF((" none, sid: %d\n", sid));
+               return (size_t)-1;
+
+       }
        DPRINTF(("\n"));
        return i;
 }