From e54dedd8df7de98ccbc082afadf977f56ce8259f Mon Sep 17 00:00:00 2001 From: William Wilgus Date: Wed, 5 Jun 2024 01:03:13 -0400 Subject: [coverity] fat.c fatlong_parse_entry() buffer overrun, fix warning basisname BYTES2INT16() uses [i + 0] and [i + 1] therefore 30 is the max element available in the raw byte array of size 32 (((uint32_t)array[pos+0] << 0) | \ ((uint32_t)array[pos+1] << 8)) struct /* raw byte array */ { uint8_t data[32]; }; basisname is only uninitialized in the . and .. dir entries both are likely false positives but cheap enough to guard against Change-Id: Iab3d186fed6050d2d61185071765a2c0feb9515f --- firmware/drivers/fat.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'firmware/drivers/fat.c') diff --git a/firmware/drivers/fat.c b/firmware/drivers/fat.c index 20c8f2b8e0..ebf0f92798 100644 --- a/firmware/drivers/fat.c +++ b/firmware/drivers/fat.c @@ -659,11 +659,14 @@ static inline unsigned int longent_char_next(unsigned int i) { switch (i += 2) { + /* flip endian for elements 14 - 27 */ case 26: i -= 1; /* return 28 */ + /* Fall-Through */ case 11: i += 3; /* return 14 */ } - - return i < 32 ? i : 0; + /* BYTES2INT16() uses [i + 0] and [i + 1] therefore + * 30 is the max element available in the raw byte array of size 32 */ + return i < 31 ? i : 0; } /* initialize the parse state; call before parsing first long entry */ @@ -1708,6 +1711,7 @@ static int add_dir_entry(struct bpb *fat_bpb, struct fat_filestr *parentstr, int dots = strlcpy(shortname, name, 11); memset(&shortname[dots], ' ', 11 - dots); entries_needed = 1; + basisname[0] = '\0'; } else { -- cgit v1.2.3