fly/flightgear
1
0
Fork 0
Code Activity

[security] Prevent buffer overrun.

Browse source
This commit is contained in:
Scott Giese 2019-06-15 21:30:54 -05:00
parent 47e3e7baed
commit efcbdcfec2
4 changed files with 38 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/FDM/YASim/FGFDM.cpp
View file

@ -431,7 +431,7 @@ void FGFDM::setOutputProperties(float dt)
Rotor*r=(Rotor*)_airplane.getRotorgear()->getRotor(i); Rotor*r=(Rotor*)_airplane.getRotorgear()->getRotor(i);
int j = 0; int j = 0;
float f; float f;
char b[256]; char b[300];
while((j = r->getValueforFGSet(j, b, &f))) while((j = r->getValueforFGSet(j, b, &f)))
if(b[0]) fgSetFloat(b,f); if(b[0]) fgSetFloat(b,f);
j=0; j=0;

22
src/FDM/YASim/Rotor.cpp
View file

@ -273,7 +273,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
if (j==0) if (j==0)
{ {
snprintf(text, 256, "/rotors/%s/cone-deg", _name); snprintf(text, 300, "/rotors/%s/cone-deg", _name);
*f=(_balance1>-1)?( ((Rotorpart*)getRotorpart(0))->getrealAlpha() *f=(_balance1>-1)?( ((Rotorpart*)getRotorpart(0))->getrealAlpha()
+((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha() +((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha()
+((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha() +((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha()
@ -282,7 +282,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
} }
else if (j==1) else if (j==1)
{ {
snprintf(text, 256, "/rotors/%s/roll-deg", _name); snprintf(text, 300, "/rotors/%s/roll-deg", _name);
_roll = ( ((Rotorpart*)getRotorpart(0))->getrealAlpha() _roll = ( ((Rotorpart*)getRotorpart(0))->getrealAlpha()
-((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha() -((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha()
)/2*(_ccw?-1:1); )/2*(_ccw?-1:1);
@ -290,7 +290,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
} }
else if (j==2) else if (j==2)
{ {
snprintf(text, 256, "/rotors/%s/yaw-deg", _name); snprintf(text, 300, "/rotors/%s/yaw-deg", _name);
_yaw=( ((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha() _yaw=( ((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha()
-((Rotorpart*)getRotorpart(3*(_number_of_parts>>2)))->getrealAlpha() -((Rotorpart*)getRotorpart(3*(_number_of_parts>>2)))->getrealAlpha()
)/2; )/2;
@ -298,37 +298,37 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
} }
else if (j==3) else if (j==3)
{ {
snprintf(text, 256, "/rotors/%s/rpm", _name); snprintf(text, 300, "/rotors/%s/rpm", _name);
*f=(_balance1>-1)?_omega/2/pi*60:0; *f=(_balance1>-1)?_omega/2/pi*60:0;
} }
else if (j==4) else if (j==4)
{ {
snprintf(text, 256, "/rotors/%s/tilt/pitch-deg",_name); snprintf(text, 300, "/rotors/%s/tilt/pitch-deg",_name);
*f=_tilt_pitch*180/pi; *f=_tilt_pitch*180/pi;
} }
else if (j==5) else if (j==5)
{ {
snprintf(text, 256, "/rotors/%s/tilt/roll-deg",_name); snprintf(text, 300, "/rotors/%s/tilt/roll-deg",_name);
*f=_tilt_roll*180/pi; *f=_tilt_roll*180/pi;
} }
else if (j==6) else if (j==6)
{ {
snprintf(text, 256, "/rotors/%s/tilt/yaw-deg",_name); snprintf(text, 300, "/rotors/%s/tilt/yaw-deg",_name);
*f=_tilt_yaw*180/pi; *f=_tilt_yaw*180/pi;
} }
else if (j==7) else if (j==7)
{ {
snprintf(text, 256, "/rotors/%s/balance", _name); snprintf(text, 300, "/rotors/%s/balance", _name);
*f=_balance1; *f=_balance1;
} }
else if (j==8) else if (j==8)
{ {
snprintf(text, 256, "/rotors/%s/stall",_name); snprintf(text, 300, "/rotors/%s/stall",_name);
*f=getOverallStall(); *f=getOverallStall();
} }
else if (j==9) else if (j==9)
{ {
snprintf(text, 256, "/rotors/%s/torque",_name); snprintf(text, 300, "/rotors/%s/torque",_name);
*f=-_torque;; *f=-_torque;;
} }
else else
@ -339,7 +339,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f)
return 0; return 0;
} }
int w=j%3; int w=j%3;
snprintf(text, 256, "/rotors/%s/blade[%i]/%s", snprintf(text, 300, "/rotors/%s/blade[%i]/%s",
_name,b, _name,b,
w==0?"position-deg":(w==1?"flap-deg":"incidence-deg")); w==0?"position-deg":(w==1?"flap-deg":"incidence-deg"));
*f=((Rotorpart*)getRotorpart(0))->getPhi()*180/pi *f=((Rotorpart*)getRotorpart(0))->getPhi()*180/pi

24
src/Network/ATC-Inputs.cxx
View file

@ -158,8 +158,8 @@ bool FGATCInput::open() {
analog_in_fd = ::open( analog_in_file, O_RDONLY ); analog_in_fd = ::open( analog_in_file, O_RDONLY );
if ( analog_in_fd == -1 ) { if ( analog_in_fd == -1 ) {
SG_LOG( SG_IO, SG_ALERT, "errno = " << errno ); SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
char msg[256]; char msg[300];
snprintf( msg, 256, "Error opening %s", analog_in_file ); snprintf( msg, 300, "Error opening %s", analog_in_file );
perror( msg ); perror( msg );
exit( -1 ); exit( -1 );
} }
@ -167,8 +167,8 @@ bool FGATCInput::open() {
radios_fd = ::open( radios_file, O_RDWR ); radios_fd = ::open( radios_file, O_RDWR );
if ( radios_fd == -1 ) { if ( radios_fd == -1 ) {
SG_LOG( SG_IO, SG_ALERT, "errno = " << errno ); SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
char msg[256]; char msg[300];
snprintf( msg, 256, "Error opening %s", radios_file ); snprintf( msg, 300, "Error opening %s", radios_file );
perror( msg ); perror( msg );
exit( -1 ); exit( -1 );
} }
@ -176,8 +176,8 @@ bool FGATCInput::open() {
switches_fd = ::open( switches_file, O_RDONLY ); switches_fd = ::open( switches_file, O_RDONLY );
if ( switches_fd == -1 ) { if ( switches_fd == -1 ) {
SG_LOG( SG_IO, SG_ALERT, "errno = " << errno ); SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
char msg[256]; char msg[300];
snprintf( msg, 256, "Error opening %s", switches_file ); snprintf( msg, 300, "Error opening %s", switches_file );
perror( msg ); perror( msg );
exit( -1 ); exit( -1 );
} }
@ -989,8 +989,8 @@ bool FGATCInput::close() {
result = ::close( analog_in_fd ); result = ::close( analog_in_fd );
if ( result == -1 ) { if ( result == -1 ) {
SG_LOG( SG_IO, SG_ALERT, "errno = " << errno ); SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
char msg[256]; char msg[300];
snprintf( msg, 256, "Error closing %s", analog_in_file ); snprintf( msg, 300, "Error closing %s", analog_in_file );
perror( msg ); perror( msg );
exit( -1 ); exit( -1 );
} }
@ -998,8 +998,8 @@ bool FGATCInput::close() {
result = ::close( radios_fd ); result = ::close( radios_fd );
if ( result == -1 ) { if ( result == -1 ) {
SG_LOG( SG_IO, SG_ALERT, "errno = " << errno ); SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
char msg[256]; char msg[300];
snprintf( msg, 256, "Error closing %s", radios_file ); snprintf( msg, 300, "Error closing %s", radios_file );
perror( msg ); perror( msg );
exit( -1 ); exit( -1 );
} }
@ -1007,8 +1007,8 @@ bool FGATCInput::close() {
result = ::close( switches_fd ); result = ::close( switches_fd );
if ( result == -1 ) { if ( result == -1 ) {
SG_LOG( SG_IO, SG_ALERT, "errno = " << errno ); SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
char msg[256]; char msg[300];
snprintf( msg, 256, "Error closing %s", switches_file ); snprintf( msg, 300, "Error closing %s", switches_file );
perror( msg ); perror( msg );
exit( -1 ); exit( -1 );
} }

28
src/Network/ATC-Outputs.cxx
View file

@ -273,8 +273,8 @@ bool FGATCOutput::open( int lock_fd ) {
analog_out_fd = ::open( analog_out_file, O_WRONLY ); analog_out_fd = ::open( analog_out_file, O_WRONLY );
if ( analog_out_fd == -1 ) { if ( analog_out_fd == -1 ) {
SG_LOG( SG_IO, SG_ALERT, "errno = " << errno ); SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
char msg[256]; char msg[300];
snprintf( msg, 256, "Error opening %s", analog_out_file ); snprintf( msg, 300, "Error opening %s", analog_out_file );
perror( msg ); perror( msg );
exit( -1 ); exit( -1 );
} }
@ -282,8 +282,8 @@ bool FGATCOutput::open( int lock_fd ) {
lamps_fd = ::open( lamps_file, O_WRONLY ); lamps_fd = ::open( lamps_file, O_WRONLY );
if ( lamps_fd == -1 ) { if ( lamps_fd == -1 ) {
SG_LOG( SG_IO, SG_ALERT, "errno = " << errno ); SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
char msg[256]; char msg[300];
snprintf( msg, 256, "Error opening %s", lamps_file ); snprintf( msg, 300, "Error opening %s", lamps_file );
perror( msg ); perror( msg );
exit( -1 ); exit( -1 );
} }
@ -291,8 +291,8 @@ bool FGATCOutput::open( int lock_fd ) {
radio_display_fd = ::open( radio_display_file, O_RDWR ); radio_display_fd = ::open( radio_display_file, O_RDWR );
if ( radio_display_fd == -1 ) { if ( radio_display_fd == -1 ) {
SG_LOG( SG_IO, SG_ALERT, "errno = " << errno ); SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
char msg[256]; char msg[300];
snprintf( msg, 256, "Error opening %s", radio_display_file ); snprintf( msg, 300, "Error opening %s", radio_display_file );
perror( msg ); perror( msg );
exit( -1 ); exit( -1 );
} }
@ -300,8 +300,8 @@ bool FGATCOutput::open( int lock_fd ) {
stepper_fd = ::open( stepper_file, O_RDWR ); stepper_fd = ::open( stepper_file, O_RDWR );
if ( stepper_fd == -1 ) { if ( stepper_fd == -1 ) {
SG_LOG( SG_IO, SG_ALERT, "errno = " << errno ); SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
char msg[256]; char msg[300];
snprintf( msg, 256, "Error opening %s", stepper_file ); snprintf( msg, 300, "Error opening %s", stepper_file );
perror( msg ); perror( msg );
exit( -1 ); exit( -1 );
} }
@ -1076,8 +1076,8 @@ bool FGATCOutput::close() {
result = ::close( lamps_fd ); result = ::close( lamps_fd );
if ( result == -1 ) { if ( result == -1 ) {
SG_LOG( SG_IO, SG_ALERT, "errno = " << errno ); SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
char msg[256]; char msg[300];
snprintf( msg, 256, "Error closing %s", lamps_file ); snprintf( msg, 300, "Error closing %s", lamps_file );
perror( msg ); perror( msg );
exit( -1 ); exit( -1 );
} }
@ -1085,8 +1085,8 @@ bool FGATCOutput::close() {
result = ::close( radio_display_fd ); result = ::close( radio_display_fd );
if ( result == -1 ) { if ( result == -1 ) {
SG_LOG( SG_IO, SG_ALERT, "errno = " << errno ); SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
char msg[256]; char msg[300];
snprintf( msg, 256, "Error closing %s", radio_display_file ); snprintf( msg, 300, "Error closing %s", radio_display_file );
perror( msg ); perror( msg );
exit( -1 ); exit( -1 );
} }
@ -1094,8 +1094,8 @@ bool FGATCOutput::close() {
result = ::close( stepper_fd ); result = ::close( stepper_fd );
if ( result == -1 ) { if ( result == -1 ) {
SG_LOG( SG_IO, SG_ALERT, "errno = " << errno ); SG_LOG( SG_IO, SG_ALERT, "errno = " << errno );
char msg[256]; char msg[300];
snprintf( msg, 256, "Error closing %s", stepper_file ); snprintf( msg, 300, "Error closing %s", stepper_file );
perror( msg ); perror( msg );
exit( -1 ); exit( -1 );
} }