amdfwtool: Copy string in a safer way
The issue is reported by Coverity. Using strcpy or strcat copying
string without checking length may cause overflow.
BUG=b:188769921
Reported-by: Coverity (CID:1438964)
Change-Id: I609d9ce405d01c57b1847a6310630ea0341e13be
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/54946
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
diff --git a/util/amdfwtool/data_parse.c b/util/amdfwtool/data_parse.c
index 6b773e0..026480f 100644
--- a/util/amdfwtool/data_parse.c
+++ b/util/amdfwtool/data_parse.c
@@ -5,6 +5,7 @@
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
+#include <assert.h>
#include "amdfwtool.h"
@@ -410,6 +411,7 @@
char oneline[MAX_LINE_SIZE], *path_filename;
regmatch_t match[N_MATCHES];
char dir[MAX_LINE_SIZE] = {'\0'};
+ uint32_t dir_len;
compile_reg_expr(REG_EXTENDED | REG_NEWLINE,
blank_or_comment_regex, &blank_or_comment_expr);
@@ -424,7 +426,10 @@
continue;
if (is_valid_entry(oneline, match)) {
if (strcmp(&(oneline[match[1].rm_so]), "FIRMWARE_LOCATION") == 0) {
- strcpy(dir, &(oneline[match[2].rm_so]));
+ dir_len = match[2].rm_eo - match[2].rm_so;
+ assert(dir_len < MAX_LINE_SIZE);
+ snprintf(dir, MAX_LINE_SIZE, "%.*s", dir_len,
+ &(oneline[match[2].rm_so]));
break;
}
}
@@ -445,10 +450,10 @@
if (strcmp(&(oneline[match[1].rm_so]), "FIRMWARE_LOCATION") == 0) {
continue;
} else {
- path_filename = malloc(MAX_LINE_SIZE);
- strcpy(path_filename, dir);
- strcat(path_filename, "/");
- strcat(path_filename, &(oneline[match[2].rm_so]));
+ path_filename = malloc(MAX_LINE_SIZE * 2 + 2);
+ snprintf(path_filename, MAX_LINE_SIZE * 2 + 2, "%.*s/%.*s",
+ MAX_LINE_SIZE, dir, MAX_LINE_SIZE,
+ &(oneline[match[2].rm_so]));
if (find_register_fw_filename_psp_dir(
&(oneline[match[1].rm_so]),