Merge branch 'release-0.5'

ChangeLog

@@ -1,3 +1,12 @@
+2015-09-14  André Colomb  <[email protected]>
+
+	* Fix possible memory access error caused by a missing check for
+	the source field size in field copy functions.  This changes the
+	signature of the field_copy_f function prototype and all its
+	implementations.  Therefore bump the minor version.
+
+	* Release version 0.5
+
 2015-08-14  André Colomb  <[email protected]>
 
 	* Fix segmentation fault when using Intel Hex files, caused by an

configure.ac

@@ -17,7 +17,7 @@
 # <http://www.gnu.org/licenses/>.
 
 
-AC_INIT([elf-mangle], [0.4.2], [[email protected]])
+AC_INIT([elf-mangle], [0.5], [[email protected]])
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_SRCDIR([src/elf-mangle.c])
 AC_CONFIG_AUX_DIR([.])

po/de.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: elf-mangle 0.1\n"
 "Report-Msgid-Bugs-To: [email protected]\n"
-"POT-Creation-Date: 2015-07-22 12:55+0200\n"
+"POT-Creation-Date: 2015-09-14 10:53+0200\n"
 "PO-Revision-Date: 2015-07-22 12:56+0100\n"
 "Last-Translator: Andre Colomb <[email protected]>\n"
 "Language-Team: German\n"
@@ -61,7 +61,7 @@ msgstr " (%<PRIu8> nicht druckbare Zeichen durch %c ersetzt)"
 msgid "<unknown version> (%<PRIu8> bytes)"
 msgstr "<unbekannte Version> (%<PRIu8> Byte)"
 
-#: src/custom_known_fields.c:202
+#: src/custom_known_fields.c:206
 #, c-format
 msgid ""
 "WARNING: %s changed to match target hardware type!\n"
@@ -72,11 +72,11 @@ msgstr ""
 "\t\t%02<PRIu8> (%s) in Zielobjekt\n"
 "\t\t%02<PRIu8> (%s) aus Abbild gelesen\n"
 
-#: src/custom_known_fields.c:219
+#: src/custom_known_fields.c:223
 msgid "Unique system identification"
 msgstr "Eindeutige Systemkennung"
 
-#: src/custom_known_fields.c:221
+#: src/custom_known_fields.c:225
 msgid "System firmware version"
 msgstr "Firmwareversion des Systems"
 
@@ -431,17 +431,17 @@ msgstr "Größe der Sektion: %zu Byte\n"
 msgid "%s: Target `%s' (%p) matches source symbol %p\n"
 msgstr "%s: Ziel '%s' (%p) entspricht Symbol %p in Quelle\n"
 
-#: src/transform.c:70
+#: src/transform.c:71
 #, c-format
 msgid "%s: %zu of %zu bytes copied\n"
 msgstr "%s: %zu von %zu Byte kopiert\n"
 
-#: src/transform.c:73
+#: src/transform.c:74
 #, c-format
 msgid "Target map field %s not found in source.\n"
 msgstr "Feld %s der Zielzuordnung nicht in der Quelle gefunden.\n"
 
-#: src/transform.c:90
+#: src/transform.c:91
 #, c-format
 msgid "%s: Copy %d symbols in to %d out\n"
 msgstr "%s: Kopiere %d Quellsymbole auf %d Ziele\n"

src/custom_known_fields.c

@@ -189,27 +189,31 @@ resize_version(const char *src, size_t initial __attribute((unused)))
 static size_t
 copy_unique(const nvm_field *field,
 	    char *dst, const char *src,
-	    size_t max_size)
+	    size_t dst_size, size_t src_size)
 {
-    uint8_t target_hwtype = hwInvalid;
+    uint8_t new_hwtype, target_hwtype;
+    size_t copied;
 
-    if (max_size >= unique_hardware_offset) target_hwtype = convert_uint8(
+    if (dst_size >= unique_hardware_offset) target_hwtype = convert_uint8(
 	dst + unique_hardware_offset);
-    memcpy(dst, src, max_size);
-
-    if (convert_uint8(src + unique_hardware_offset) != target_hwtype) {
-	fprintf(stderr,
-		_("WARNING: %s changed to match target hardware type!\n"
-		  "\t\t%02" PRIu8 " (%s) in target map\n"
-		  "\t\t%02" PRIu8 " (%s) provided from image\n"),
-		field->description,
-		target_hwtype, get_unique_hardware_type(target_hwtype),
-		convert_uint8(src + unique_hardware_offset),
-		get_unique_hardware_type(convert_uint8(src + unique_hardware_offset)));
-	dst[unique_hardware_offset] = target_hwtype;
-	return max_size - sizeof(target_hwtype);
+    copied = copy_field_verbatim(field, dst, src, dst_size, src_size);
+
+    if (src_size >= unique_hardware_offset &&
+	dst_size >= unique_hardware_offset) {
+	new_hwtype = convert_uint8(src + unique_hardware_offset);
+	if (new_hwtype != target_hwtype) {
+	    fprintf(stderr,
+		    _("WARNING: %s changed to match target hardware type!\n"
+		      "\t\t%02" PRIu8 " (%s) in target map\n"
+		      "\t\t%02" PRIu8 " (%s) provided from image\n"),
+		    field->description,
+		    target_hwtype, get_unique_hardware_type(target_hwtype),
+		    new_hwtype, get_unique_hardware_type(new_hwtype));
+	    dst[unique_hardware_offset] = target_hwtype;
+	    return copied - sizeof(target_hwtype);
+	}
     }
-    return max_size;
+    return copied;
 }
 
 

src/nvm_field.c

@@ -55,18 +55,22 @@ find_field(const char *symbol,
 size_t
 copy_field_verbatim(const nvm_field *field __attribute__((unused)),
 		    char *dst, const char *src,
-		    size_t max_size)
+		    size_t dst_size, size_t src_size)
 {
-    memcpy(dst, src, max_size);
-    return max_size;
+    size_t common_size;
+
+    // Limit copying to the smaller of the source and destination fields
+    common_size = src_size < dst_size ? src_size : dst_size;
+    memcpy(dst, src, common_size);
+    return common_size;
 }
 
 
 
 size_t
 copy_field_noop(const nvm_field *field __attribute__((unused)),
 		char *dst __attribute__((unused)), const char *src __attribute__((unused)),
-		size_t max_size __attribute__((unused)))
+		size_t dst_size __attribute__((unused)), size_t src_size __attribute__((unused)))
 {
     return 0;
 }

src/nvm_field.h

@@ -44,7 +44,8 @@ typedef size_t (*field_copy_f)(
     const nvm_field *field,	///< [in] Access to field descriptor //FIXME needed?
     char *dst,			///< [out] Destination address for field data
     const char *src,		///< [in] Source address for field data
-    size_t max_size		///< [in] Maximum size in bytes to write to destination
+    size_t dst_size,		///< [in] Maximum size in bytes to write to destination
+    size_t src_size		///< [in] Maximum size in bytes available from source
 );
 
 ///@brief Function pointer to pretty-print data field content
@@ -83,7 +84,8 @@ size_t copy_field_verbatim(
     const nvm_field *field,	///< [in] Access to field descriptor //FIXME needed?
     char *dst,			///< [out] Destination address for field data
     const char *src,		///< [in] Source address for field data
-    size_t max_size		///< [in] Maximum size in bytes to write to destination
+    size_t dst_size,		///< [in] Maximum size in bytes to write to destination
+    size_t src_size		///< [in] Maximum size in bytes available from source
     );
 
 ///@brief Do not copy data field content (dummy implementation)
@@ -92,7 +94,8 @@ size_t copy_field_noop(
     const nvm_field *field,	///< [in] Access to field descriptor //FIXME needed?
     char *dst,			///< [out] Destination address for field data
     const char *src,		///< [in] Source address for field data
-    size_t max_size		///< [in] Maximum size in bytes to write to destination
+    size_t dst_size,		///< [in] Maximum size in bytes to write to destination
+    size_t src_size		///< [in] Maximum size in bytes available from source
     );
 
 #endif //NVM_FIELD_H_

src/transform.c

@@ -56,7 +56,7 @@ transfer_field_iterator(
 {
     const struct transfer_config *conf = arg;
     const nvm_symbol *symbol_src;
-    size_t copied __attribute__((unused));	//FIXME
+    size_t copied;
     field_copy_f copy_func = copy_field_verbatim;
 
     symbol_src = symbol_list_find_field(conf->list_src, conf->num_src, symbol_dst->field);
@@ -66,7 +66,8 @@ transfer_field_iterator(
 	if (symbol_dst->field->copy_func) copy_func = symbol_dst->field->copy_func;
 	copied = copy_func(
 	    symbol_dst->field,
-	    symbol_dst->blob_address, symbol_src->blob_address, symbol_dst->size);
+	    symbol_dst->blob_address, symbol_src->blob_address,
+	    symbol_dst->size, symbol_src->size);
 	if (DEBUG) printf(_("%s: %zu of %zu bytes copied\n"),
 			  symbol_dst->field->symbol, copied, symbol_dst->size);
     } else {