fly/flightgear
1
0
Fork 0
Code Activity

Fix for CVE-2012-2091:

Browse source 
add checks against buffer overruns
 CVE-2012-2091 mentions various buffer overruns in simgear and
 flightgear. This patch addresses this issue in Rotor::getValueforFGSet().
From: Tom Callaway
This commit is contained in:
James Turner 2013-09-14 17:39:02 +01:00
parent 66423605f1
commit dab588c789
1 changed files with 11 additions and 11 deletions

22
src/FDM/YASim/Rotor.cpp
View file

@ -273,7 +273,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
if (4>numRotorparts()) return 0; //compile first! if (4>numRotorparts()) return 0; //compile first!
if (j==0) if (j==0)
{ {
sprintf(text,"/rotors/%s/cone-deg", _name); snprintf(text, 256, "/rotors/%s/cone-deg", _name);
*f=(_balance1>-1)?( ((Rotorpart*)getRotorpart(0))->getrealAlpha() *f=(_balance1>-1)?( ((Rotorpart*)getRotorpart(0))->getrealAlpha()
+((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha() +((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha()
+((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha() +((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha()
@ -283,7 +283,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
else else
if (j==1) if (j==1)
{ {
sprintf(text,"/rotors/%s/roll-deg", _name); snprintf(text, 256, "/rotors/%s/roll-deg", _name);
_roll = ( ((Rotorpart*)getRotorpart(0))->getrealAlpha() _roll = ( ((Rotorpart*)getRotorpart(0))->getrealAlpha()
-((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha() -((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha()
)/2*(_ccw?-1:1); )/2*(_ccw?-1:1);
@ -292,7 +292,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
else else
if (j==2) if (j==2)
{ {
sprintf(text,"/rotors/%s/yaw-deg", _name); snprintf(text, 256, "/rotors/%s/yaw-deg", _name);
_yaw=( ((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha() _yaw=( ((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha()
-((Rotorpart*)getRotorpart(3*(_number_of_parts>>2)))->getrealAlpha() -((Rotorpart*)getRotorpart(3*(_number_of_parts>>2)))->getrealAlpha()
)/2; )/2;
@ -301,38 +301,38 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
else else
if (j==3) if (j==3)
{ {
sprintf(text,"/rotors/%s/rpm", _name); snprintf(text, 256, "/rotors/%s/rpm", _name);
*f=(_balance1>-1)?_omega/2/pi*60:0; *f=(_balance1>-1)?_omega/2/pi*60:0;
} }
else else
if (j==4) if (j==4)
{ {
sprintf(text,"/rotors/%s/tilt/pitch-deg",_name); snprintf(text, 256, "/rotors/%s/tilt/pitch-deg",_name);
*f=_tilt_pitch*180/pi; *f=_tilt_pitch*180/pi;
} }
else if (j==5) else if (j==5)
{ {
sprintf(text,"/rotors/%s/tilt/roll-deg",_name); snprintf(text, 256, "/rotors/%s/tilt/roll-deg",_name);
*f=_tilt_roll*180/pi; *f=_tilt_roll*180/pi;
} }
else if (j==6) else if (j==6)
{ {
sprintf(text,"/rotors/%s/tilt/yaw-deg",_name); snprintf(text, 256, "/rotors/%s/tilt/yaw-deg",_name);
*f=_tilt_yaw*180/pi; *f=_tilt_yaw*180/pi;
} }
else if (j==7) else if (j==7)
{ {
sprintf(text,"/rotors/%s/balance", _name); snprintf(text, 256, "/rotors/%s/balance", _name);
*f=_balance1; *f=_balance1;
} }
else if (j==8) else if (j==8)
{ {
sprintf(text,"/rotors/%s/stall",_name); snprintf(text, 256, "/rotors/%s/stall",_name);
*f=getOverallStall(); *f=getOverallStall();
} }
else if (j==9) else if (j==9)
{ {
sprintf(text,"/rotors/%s/torque",_name); snprintf(text, 256, "/rotors/%s/torque",_name);
*f=-_torque;; *f=-_torque;;
} }
else else
@ -343,7 +343,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
return 0; return 0;
} }
int w=j%3; int w=j%3;
sprintf(text,"/rotors/%s/blade[%i]/%s", snprintf(text, 256, "/rotors/%s/blade[%i]/%s",
_name,b, _name,b,
w==0?"position-deg":(w==1?"flap-deg":"incidence-deg")); w==0?"position-deg":(w==1?"flap-deg":"incidence-deg"));
*f=((Rotorpart*)getRotorpart(0))->getPhi()*180/pi *f=((Rotorpart*)getRotorpart(0))->getPhi()*180/pi