mifr/subsurface
1
0
Fork 0
mirror of https://github.com/subsurface/subsurface.git synced 2025-02-19 22:16:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Divelogs.de: prevent undefined behaviour

Browse source 
prepare_dives_for_divelogs() did a silly thing, which I was
responsible for. When populating 'tempfile' we benefit
from QString, but then return a pointer to a local variable
(char *) without alocating it on the heap. This resulted
in undefined behavior, as we don't know the lifespan of that
local memory on the stack.

Patch fixes that by using strdup() and freeing the memory
when/if needed.

Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Lubomir I. Ivanov <neolit123@gmail.com>
Signed-off-by: Dirk Hohndel <dirk@hohndel.org>
This commit is contained in:
Lubomir I. Ivanov 2013-12-10 22:53:02 +02:00 committed by Dirk Hohndel
parent 5ebcc2d237
commit 643f404036
1 changed files with 9 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

12
qt-ui/subsurfacewebservices.cpp
View file

@ -115,15 +115,17 @@ static char *prepare_dives_for_divelogs(const bool selected)
/* generate a random filename and create/open that file with zip_open */ /* generate a random filename and create/open that file with zip_open */
QString tempfileQ = QDir::tempPath() + "/import-" + QString::number(qrand() % 99999999) + ".dld"; QString tempfileQ = QDir::tempPath() + "/import-" + QString::number(qrand() % 99999999) + ".dld";
tempfile = tempfileQ.toLocal8Bit().data(); tempfile = strdup(tempfileQ.toLocal8Bit().data());
zip = zip_open(tempfile, ZIP_CREATE, NULL); zip = zip_open(tempfile, ZIP_CREATE, NULL);
if (!zip) { if (!zip) {
qDebug() << errPrefix << "cannot open file as zip"; qDebug() << errPrefix << "cannot open file as zip";
free((void *)tempfile);
return NULL; return NULL;
} }
if (!amount_selected) { if (!amount_selected) {
qDebug() << errPrefix << "no dives selected"; qDebug() << errPrefix << "no dives selected";
free((void *)tempfile);
return NULL; return NULL;
} }
@ -137,6 +139,7 @@ static char *prepare_dives_for_divelogs(const bool selected)
f = tmpfile(); f = tmpfile();
if (!f) { if (!f) {
qDebug() << errPrefix << "cannot create temp file"; qDebug() << errPrefix << "cannot create temp file";
free((void *)tempfile);
return NULL; return NULL;
} }
save_dive(f, dive); save_dive(f, dive);
@ -146,6 +149,7 @@ static char *prepare_dives_for_divelogs(const bool selected)
membuf = (char *)malloc(streamsize + 1); membuf = (char *)malloc(streamsize + 1);
if (!membuf || !fread(membuf, streamsize, 1, f)) { if (!membuf || !fread(membuf, streamsize, 1, f)) {
qDebug() << errPrefix << "memory error"; qDebug() << errPrefix << "memory error";
free((void *)tempfile);
return NULL; return NULL;
} }
membuf[streamsize] = 0; membuf[streamsize] = 0;
@ -158,6 +162,7 @@ static char *prepare_dives_for_divelogs(const bool selected)
doc = xmlReadMemory(membuf, strlen(membuf), "divelog", NULL, 0); doc = xmlReadMemory(membuf, strlen(membuf), "divelog", NULL, 0);
if (!doc) { if (!doc) {
qDebug() << errPrefix << "xml error"; qDebug() << errPrefix << "xml error";
free((void *)tempfile);
return NULL; return NULL;
} }
free((void *)membuf); free((void *)membuf);
@ -165,6 +170,7 @@ static char *prepare_dives_for_divelogs(const bool selected)
xslt = get_stylesheet("divelogs-export.xslt"); xslt = get_stylesheet("divelogs-export.xslt");
if (!xslt) { if (!xslt) {
qDebug() << errPrefix << "missing stylesheet"; qDebug() << errPrefix << "missing stylesheet";
free((void *)tempfile);
return NULL; return NULL;
} }
transformed = xsltApplyStylesheet(xslt, doc, NULL); transformed = xsltApplyStylesheet(xslt, doc, NULL);
@ -184,8 +190,6 @@ static char *prepare_dives_for_divelogs(const bool selected)
} }
} }
zip_close(zip); zip_close(zip);
/* let's call this again */
tempfile = tempfileQ.toLocal8Bit().data();
return tempfile; return tempfile;
} }
@ -554,9 +558,11 @@ void DivelogsDeWebServices::prepareDivesForUpload()
uploadDives((QIODevice *)&f); uploadDives((QIODevice *)&f);
f.close(); f.close();
f.remove(); f.remove();
free((void *)filename);
return; return;
} }
mainWindow()->showError(errorText.append(": ").append(filename)); mainWindow()->showError(errorText.append(": ").append(filename));
free((void *)filename);
return; return;
} }
mainWindow()->showError(errorText.append("!")); mainWindow()->showError(errorText.append("!"));