From efcbdcfec2d501f3b4a00aaabd6ff23fdb934f25 Mon Sep 17 00:00:00 2001
From: Scott Giese <scttgs0@gmail.com>
Date: Sat, 15 Jun 2019 21:30:54 -0500
Subject: [PATCH] [security] Prevent buffer overrun.

---
 src/FDM/YASim/FGFDM.cpp     |  2 +-
 src/FDM/YASim/Rotor.cpp     | 22 +++++++++++-----------
 src/Network/ATC-Inputs.cxx  | 24 ++++++++++++------------
 src/Network/ATC-Outputs.cxx | 28 ++++++++++++++--------------
 4 files changed, 38 insertions(+), 38 deletions(-)

diff --git a/src/FDM/YASim/FGFDM.cpp b/src/FDM/YASim/FGFDM.cpp
index 4c625bb4b..67955cbdc 100644
--- a/src/FDM/YASim/FGFDM.cpp
+++ b/src/FDM/YASim/FGFDM.cpp
@@ -431,7 +431,7 @@ void FGFDM::setOutputProperties(float dt)
         Rotor*r=(Rotor*)_airplane.getRotorgear()->getRotor(i);
         int j = 0;
         float f;
-        char b[256];
+        char b[300];
         while((j = r->getValueforFGSet(j, b, &f)))
             if(b[0]) fgSetFloat(b,f);
         j=0;
diff --git a/src/FDM/YASim/Rotor.cpp b/src/FDM/YASim/Rotor.cpp
index ef1687499..30716d977 100644
--- a/src/FDM/YASim/Rotor.cpp
+++ b/src/FDM/YASim/Rotor.cpp
@@ -273,7 +273,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
     
     if (j==0)
     {
-        snprintf(text, 256, "/rotors/%s/cone-deg", _name);
+        snprintf(text, 300, "/rotors/%s/cone-deg", _name);
         *f=(_balance1>-1)?( ((Rotorpart*)getRotorpart(0))->getrealAlpha()
             +((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha()
             +((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha()
@@ -282,7 +282,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
     }
     else if (j==1)
     {
-        snprintf(text, 256, "/rotors/%s/roll-deg", _name);
+        snprintf(text, 300, "/rotors/%s/roll-deg", _name);
         _roll = ( ((Rotorpart*)getRotorpart(0))->getrealAlpha()
             -((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha()
             )/2*(_ccw?-1:1);
@@ -290,7 +290,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
     }
     else if (j==2)
     {
-        snprintf(text, 256, "/rotors/%s/yaw-deg", _name);
+        snprintf(text, 300, "/rotors/%s/yaw-deg", _name);
         _yaw=( ((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha()
             -((Rotorpart*)getRotorpart(3*(_number_of_parts>>2)))->getrealAlpha()
             )/2;
@@ -298,37 +298,37 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
     }
     else if (j==3)
     {
-        snprintf(text, 256, "/rotors/%s/rpm", _name);
+        snprintf(text, 300, "/rotors/%s/rpm", _name);
         *f=(_balance1>-1)?_omega/2/pi*60:0;
     }
     else if (j==4)
     {
-        snprintf(text, 256, "/rotors/%s/tilt/pitch-deg",_name);
+        snprintf(text, 300, "/rotors/%s/tilt/pitch-deg",_name);
         *f=_tilt_pitch*180/pi;
     }
     else if (j==5)
     {
-        snprintf(text, 256, "/rotors/%s/tilt/roll-deg",_name);
+        snprintf(text, 300, "/rotors/%s/tilt/roll-deg",_name);
         *f=_tilt_roll*180/pi;
     }
     else if (j==6)
     {
-        snprintf(text, 256, "/rotors/%s/tilt/yaw-deg",_name);
+        snprintf(text, 300, "/rotors/%s/tilt/yaw-deg",_name);
         *f=_tilt_yaw*180/pi;
     }
     else if (j==7)
     {
-        snprintf(text, 256, "/rotors/%s/balance", _name);
+        snprintf(text, 300, "/rotors/%s/balance", _name);
         *f=_balance1;
     }
     else if (j==8)
     {
-        snprintf(text, 256, "/rotors/%s/stall",_name);
+        snprintf(text, 300, "/rotors/%s/stall",_name);
         *f=getOverallStall();
     }
     else if (j==9)
     {
-        snprintf(text, 256, "/rotors/%s/torque",_name);
+        snprintf(text, 300, "/rotors/%s/torque",_name);
         *f=-_torque;;
     }
     else
@@ -339,7 +339,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
             return 0;
         }
         int w=j%3;
-        snprintf(text, 256, "/rotors/%s/blade[%i]/%s",
+        snprintf(text, 300, "/rotors/%s/blade[%i]/%s",
             _name,b,
             w==0?"position-deg":(w==1?"flap-deg":"incidence-deg"));
         *f=((Rotorpart*)getRotorpart(0))->getPhi()*180/pi
diff --git a/src/Network/ATC-Inputs.cxx b/src/Network/ATC-Inputs.cxx
index 9e67e8b64..2d025dc15 100644
--- a/src/Network/ATC-Inputs.cxx
+++ b/src/Network/ATC-Inputs.cxx
@@ -158,8 +158,8 @@ bool FGATCInput::open() {
     analog_in_fd = ::open( analog_in_file, O_RDONLY );
     if ( analog_in_fd == -1 ) {
 	SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
-	char msg[256];
-	snprintf( msg, 256, "Error opening %s", analog_in_file );
+	char msg[300];
+	snprintf( msg, 300, "Error opening %s", analog_in_file );
 	perror( msg );
 	exit( -1 );
     }
@@ -167,8 +167,8 @@ bool FGATCInput::open() {
     radios_fd = ::open( radios_file, O_RDWR );
     if ( radios_fd == -1 ) {
 	SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
-	char msg[256];
-	snprintf( msg, 256, "Error opening %s", radios_file );
+	char msg[300];
+	snprintf( msg, 300, "Error opening %s", radios_file );
 	perror( msg );
 	exit( -1 );
     }
@@ -176,8 +176,8 @@ bool FGATCInput::open() {
     switches_fd = ::open( switches_file, O_RDONLY );
     if ( switches_fd == -1 ) {
 	SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
-	char msg[256];
-	snprintf( msg, 256, "Error opening %s", switches_file );
+	char msg[300];
+	snprintf( msg, 300, "Error opening %s", switches_file );
 	perror( msg );
 	exit( -1 );
     }
@@ -989,8 +989,8 @@ bool FGATCInput::close() {
     result = ::close( analog_in_fd );
     if ( result == -1 ) {
 	SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
-	char msg[256];
-	snprintf( msg, 256, "Error closing %s", analog_in_file );
+	char msg[300];
+	snprintf( msg, 300, "Error closing %s", analog_in_file );
 	perror( msg );
 	exit( -1 );
     }
@@ -998,8 +998,8 @@ bool FGATCInput::close() {
     result = ::close( radios_fd );
     if ( result == -1 ) {
 	SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
-	char msg[256];
-	snprintf( msg, 256, "Error closing %s", radios_file );
+	char msg[300];
+	snprintf( msg, 300, "Error closing %s", radios_file );
 	perror( msg );
 	exit( -1 );
     }
@@ -1007,8 +1007,8 @@ bool FGATCInput::close() {
     result = ::close( switches_fd );
     if ( result == -1 ) {
 	SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
-	char msg[256];
-	snprintf( msg, 256, "Error closing %s", switches_file );
+	char msg[300];
+	snprintf( msg, 300, "Error closing %s", switches_file );
 	perror( msg );
 	exit( -1 );
     }
diff --git a/src/Network/ATC-Outputs.cxx b/src/Network/ATC-Outputs.cxx
index 2971ab1fc..dd327dede 100644
--- a/src/Network/ATC-Outputs.cxx
+++ b/src/Network/ATC-Outputs.cxx
@@ -273,8 +273,8 @@ bool FGATCOutput::open( int lock_fd ) {
     analog_out_fd = ::open( analog_out_file, O_WRONLY );
     if ( analog_out_fd == -1 ) {
 	SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
-	char msg[256];
-	snprintf( msg, 256, "Error opening %s", analog_out_file );
+	char msg[300];
+	snprintf( msg, 300, "Error opening %s", analog_out_file );
 	perror( msg );
 	exit( -1 );
     }
@@ -282,8 +282,8 @@ bool FGATCOutput::open( int lock_fd ) {
     lamps_fd = ::open( lamps_file, O_WRONLY );
     if ( lamps_fd == -1 ) {
 	SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
-	char msg[256];
-	snprintf( msg, 256, "Error opening %s", lamps_file );
+	char msg[300];
+	snprintf( msg, 300, "Error opening %s", lamps_file );
 	perror( msg );
 	exit( -1 );
     }
@@ -291,8 +291,8 @@ bool FGATCOutput::open( int lock_fd ) {
     radio_display_fd = ::open( radio_display_file, O_RDWR );
     if ( radio_display_fd == -1 ) {
 	SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
-	char msg[256];
-	snprintf( msg, 256, "Error opening %s", radio_display_file );
+	char msg[300];
+	snprintf( msg, 300, "Error opening %s", radio_display_file );
 	perror( msg );
 	exit( -1 );
     }
@@ -300,8 +300,8 @@ bool FGATCOutput::open( int lock_fd ) {
     stepper_fd = ::open( stepper_file, O_RDWR );
     if ( stepper_fd == -1 ) {
 	SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
-	char msg[256];
-	snprintf( msg, 256, "Error opening %s", stepper_file );
+	char msg[300];
+	snprintf( msg, 300, "Error opening %s", stepper_file );
 	perror( msg );
 	exit( -1 );
     }
@@ -1076,8 +1076,8 @@ bool FGATCOutput::close() {
     result = ::close( lamps_fd );
     if ( result == -1 ) {
 	SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
-	char msg[256];
-	snprintf( msg, 256, "Error closing %s", lamps_file );
+	char msg[300];
+	snprintf( msg, 300, "Error closing %s", lamps_file );
 	perror( msg );
 	exit( -1 );
     }
@@ -1085,8 +1085,8 @@ bool FGATCOutput::close() {
     result = ::close( radio_display_fd );
     if ( result == -1 ) {
 	SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
-	char msg[256];
-	snprintf( msg, 256, "Error closing %s", radio_display_file );
+	char msg[300];
+	snprintf( msg, 300, "Error closing %s", radio_display_file );
 	perror( msg );
 	exit( -1 );
     }
@@ -1094,8 +1094,8 @@ bool FGATCOutput::close() {
     result = ::close( stepper_fd );
     if ( result == -1 ) {
 	SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
-	char msg[256];
-	snprintf( msg, 256, "Error closing %s", stepper_file );
+	char msg[300];
+	snprintf( msg, 300, "Error closing %s", stepper_file );
 	perror( msg );
 	exit( -1 );
     }