Blob Blame Raw
From 529c79dcfb0dc20c123865d1caf1142b085080d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Wed, 15 Feb 2017 15:05:35 +0100
Subject: [PATCH] Fix parsing wmfrog arguments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A command like "wmfrog -s KSEA -o 7 -tmp /home/stela010/tmp/wmfrog"
crashed because the -tmp argument was bigger than a static buffer used
for storing the argument value. There were similar issues with other
argument values.

This patch fixes it. It also fixes the fact that -tmp argument was
always ignored and user's home directory was used instead.

<https://bugzilla.redhat.com/show_bug.cgi?id=1422319>

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 Src/wmFrog.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 54 insertions(+), 12 deletions(-)

diff --git a/Src/wmFrog.c b/Src/wmFrog.c
index 24f795c..c422e55 100644
--- a/Src/wmFrog.c
+++ b/Src/wmFrog.c
@@ -12,6 +12,7 @@
 /*
  *   Includes
  */
+#define _XOPEN_SOURCE 500 /* For strdup(3) */
 #include <signal.h>
 #include <stdio.h>
 #include <math.h>
@@ -74,7 +75,7 @@ int NeedsUpdate = 1;
 int maxWind = MAX_WIND;
 int timeOffset = TIME_OFFSET;
 long UpdateDelay;
-char* folder;
+char* folder = NULL;
 int needsUpdate = 1;
 
 /*
@@ -91,7 +92,9 @@ int main(int argc, char *argv[]) {
      */
     ParseCMDLine(argc, argv);
 
-    folder = GetTempDir(".wmapps");
+    if (NULL == folder) {
+        folder = GetTempDir(".wmapps");
+    }
 
     initXwindow(argc, argv);
 
@@ -343,7 +346,11 @@ void ParseCMDLine(int argc, char *argv[]) {
                 print_usage();
                 exit(-1);
             }
-            strcpy(folder, argv[++i]);
+            folder = strdup(argv[++i]);
+            if (NULL == folder) {
+                fprintf(stderr, "Not enough memory to copy -tmp argument.\n");
+                exit(-1);
+            }
 
 
         } else if ((!strcmp(argv[i], "-station")) || (!strcmp(argv[i], "-s"))) {
@@ -352,6 +359,10 @@ void ParseCMDLine(int argc, char *argv[]) {
                 print_usage();
                 exit(-1);
             }
+            if (strlen(argv[i + 1]) >= sizeof(StationID)/sizeof(*StationID) - 1) {
+                fprintf(stderr, "METAR station ID is too long.\n");
+                exit(-1);
+            }
             strcpy(StationID, StringToUpper(argv[++i]));
             strcpy(Label, StationID);
         } else if (!strcmp(argv[i], "-delay")) {
@@ -377,6 +388,10 @@ void ParseCMDLine(int argc, char *argv[]) {
                 print_usage();
                 exit(-1);
             }
+            if (strlen(argv[i + 1]) >= sizeof(Label)/sizeof(*Label) - 1) {
+                fprintf(stderr, "Station label is too long.\n");
+                exit(-1);
+            }
             strcpy(Label, StringToUpper(argv[++i]));
         }
     }
@@ -454,7 +469,8 @@ double UT;
 // Will be called at regular interval to update the weather data (alarm)
 
 void UpdateData() {
-    char command[1024], Line[512], FileName[128];
+    char *command, Line[512], *FileName;
+    const char weatherPlScript[] = "/usr/lib/wmfrog/weather.pl";
     int ign;
     char* igns;
     igns = (char*) malloc(512);
@@ -492,13 +508,29 @@ void UpdateData() {
     /*
      *  Execute Perl script to grab the Latest METAR Report
      */
-    snprintf(command, 1024, "/usr/lib/wmfrog/weather.pl %s %s", StationID, folder);
-    //printf("Retrieveing data\n");
-    ign = system(command);
-    snprintf(FileName, 128, "%s/%s", folder, StationID);
-    //fprintf(stderr,"%s\n\n",FileName);
+    command = malloc(strlen(weatherPlScript) + 1 + strlen(StationID) + 1
+            + strlen(folder) + 1);
+    if (NULL == command) {
+        fprintf(stderr, "Not enough memory to build wheater.pl command.\n");
+    } else {
+        sprintf(command, "%s %s %s", weatherPlScript, StationID, folder);
+        //printf("Retrieveing data\n");
+        ign = system(command);
+        free(command);
+    }
+
+    FileName = malloc(strlen(folder) + 1 + strlen(StationID) + 1);
+    if (NULL == FileName) {
+        fprintf(stderr, "Not enough memory to build staion ID file name.\n");
+        fp = NULL;
+    } else {
+        sprintf(FileName, "%s/%s", folder, StationID);
+        //fprintf(stderr,"%s\n\n",FileName);
+        fp = fopen(FileName, "r");
+        free(FileName);
+    }
 
-    if ((fp = fopen(FileName, "r")) != NULL) {
+    if (fp != NULL) {
         ign = fscanf(fp, "Hour:%d", &weather.hour);
         igns = fgets(Line, 512, fp); //h
         ign = fscanf(fp, "Minute:%d", &weather.min);
@@ -620,11 +652,21 @@ void UpdateData() {
 char *GetTempDir(char *suffix) {
     uid_t id;
     struct passwd *userEntry;
-    static char userHome[128];
+    char *userHome;
 
     id = getuid();
     userEntry = getpwuid(id);
-    snprintf(userHome, 128, "%s/%s", userEntry->pw_dir, suffix);
+    if (NULL == userEntry) {
+        perror("Could not retrieve user's passwd entry");
+        exit(-1);
+    }
+
+    userHome = malloc(strlen(userEntry->pw_dir) + 1 + strlen(suffix) + 1);
+    if (NULL == userHome) {
+        fprintf(stderr, "Not enough memory for building temporary path.\n");
+        exit(-1);
+    }
+    sprintf(userHome, "%s/%s", userEntry->pw_dir, suffix);
     return userHome;
 }
 
-- 
2.7.4