fly/flightgear
1
0
Fork 0
Code Activity

Fix for CVE-2012-2091:

Browse source 
add checks against buffer overruns
 CVE-2012-2091 mentions various buffer overruns in simgear and
 flightgear. This patch addresses this issue in Rotor::getValueforFGSet().
From: Tom Callaway
This commit is contained in:
James Turner 2013-09-14 17:39:02 +01:00
parent 66423605f1
commit dab588c789
1 changed files with 11 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
src/FDM/YASim/Rotor.cpp
View file

@ -273,7 +273,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
if (4>numRotorparts()) return 0; //compile first!
if (j==0)
{
sprintf(text,"/rotors/%s/cone-deg", _name);
snprintf(text, 256, "/rotors/%s/cone-deg", _name);
*f=(_balance1>-1)?( ((Rotorpart*)getRotorpart(0))->getrealAlpha()
+((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha()
+((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha()
@ -283,7 +283,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
else
if (j==1)
{
sprintf(text,"/rotors/%s/roll-deg", _name);
snprintf(text, 256, "/rotors/%s/roll-deg", _name);
_roll = ( ((Rotorpart*)getRotorpart(0))->getrealAlpha()
-((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha()
)/2*(_ccw?-1:1);
@ -292,7 +292,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
else
if (j==2)
{
sprintf(text,"/rotors/%s/yaw-deg", _name);
snprintf(text, 256, "/rotors/%s/yaw-deg", _name);
_yaw=( ((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha()
-((Rotorpart*)getRotorpart(3*(_number_of_parts>>2)))->getrealAlpha()
)/2;
@ -301,38 +301,38 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
else
if (j==3)
{
sprintf(text,"/rotors/%s/rpm", _name);
snprintf(text, 256, "/rotors/%s/rpm", _name);
*f=(_balance1>-1)?_omega/2/pi*60:0;
}
else
if (j==4)
{
sprintf(text,"/rotors/%s/tilt/pitch-deg",_name);
snprintf(text, 256, "/rotors/%s/tilt/pitch-deg",_name);
*f=_tilt_pitch*180/pi;
}
else if (j==5)
{
sprintf(text,"/rotors/%s/tilt/roll-deg",_name);
snprintf(text, 256, "/rotors/%s/tilt/roll-deg",_name);
*f=_tilt_roll*180/pi;
}
else if (j==6)
{
sprintf(text,"/rotors/%s/tilt/yaw-deg",_name);
snprintf(text, 256, "/rotors/%s/tilt/yaw-deg",_name);
*f=_tilt_yaw*180/pi;
}
else if (j==7)
{
sprintf(text,"/rotors/%s/balance", _name);
snprintf(text, 256, "/rotors/%s/balance", _name);
*f=_balance1;
}
else if (j==8)
{
sprintf(text,"/rotors/%s/stall",_name);
snprintf(text, 256, "/rotors/%s/stall",_name);
*f=getOverallStall();
}
else if (j==9)
{
sprintf(text,"/rotors/%s/torque",_name);
snprintf(text, 256, "/rotors/%s/torque",_name);
*f=-_torque;;
}
else
@ -343,7 +343,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
return 0;
}
int w=j%3;
sprintf(text,"/rotors/%s/blade[%i]/%s",
snprintf(text, 256, "/rotors/%s/blade[%i]/%s",
_name,b,
w==0?"position-deg":(w==1?"flap-deg":"incidence-deg"));
*f=((Rotorpart*)getRotorpart(0))->getPhi()*180/pi