From afb53e387b53e482df25889608a8777fbc9ad0ae Mon Sep 17 00:00:00 2001
From: Dirk Hohndel <dirk@hohndel.org>
Date: Wed, 5 Dec 2012 13:43:36 -0800
Subject: [PATCH] Fix retrieval of object_id value in Uemis downloader

The existing code could read past the end of the buffer that was handed to
it.

Signed-off-by: Dirk Hohndel <dirk@hohndel.org>
---
 uemis-downloader.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/uemis-downloader.c b/uemis-downloader.c
index abd131a07..722b4ea08 100644
--- a/uemis-downloader.c
+++ b/uemis-downloader.c
@@ -322,9 +322,10 @@ static gboolean next_file(int max)
 
 static char *first_object_id_val(char* buf)
 {
-	char *object;
+	char *object, *bufend;
 	if (!buf)
 		return NULL;
+	bufend = buf + strlen(buf);
 	object = strstr(buf, "object_id");
 	if (object) {
 		/* get the value */
@@ -332,12 +333,18 @@ static char *first_object_id_val(char* buf)
 		char *p = object + 14;
 		char *t = tmp;
 
-		if (p < buf + strlen(buf)) {
-			while (*p != '{' && t < tmp + 9)
-				*t++ = *p++;
+#if UEMIS_DEBUG & 2
+		char debugbuf[50];
+		strncpy(debugbuf, object, 49);
+		debugbuf[49] = '\0';
+		fprintf(debugfile, "buf |%s|\n", debugbuf);
+#endif
+		while (p < bufend && *p != '{' && t < tmp + 9)
+			*t++ = *p++;
+		if (*p == '{') {
 			*t = '\0';
+			return strdup(tmp);
 		}
-		return strdup(tmp);
 	}
 	return NULL;
 }
@@ -350,6 +357,9 @@ static void show_progress(char *buf, char *what)
 	char *val = first_object_id_val(buf);
 	if (val) {
 		/* let the user know what we are working on */
+#if UEMIS_DEBUG & 2
+		fprintf(debugfile,"reading %s %s\n", what, val);
+#endif
 		uemis_info(_("Reading %s %s"), what, val);
 		free(val);
 	}