wimlib_join(): Fix buffer overrun when swm part 1 not specified
authorEric Biggers <ebiggers3@gmail.com>
Mon, 28 Apr 2014 17:52:21 +0000 (12:52 -0500)
committerEric Biggers <ebiggers3@gmail.com>
Mon, 28 Apr 2014 17:52:21 +0000 (12:52 -0500)
Before checking for swm completeness, there can potentially be
(num_additional_swms + 1) parts that are *not* part 1, so make the
additional_swms array large enough.

src/join.c

index b2125d1..8a0abe5 100644 (file)
@@ -169,7 +169,8 @@ wimlib_join(const tchar * const *swm_names,
                return WIMLIB_ERR_INVALID_PARAM;
        num_additional_swms = num_swms - 1;
 
-       additional_swms = CALLOC(num_additional_swms, sizeof(additional_swms[0]));
+       additional_swms = CALLOC((num_additional_swms + 1),
+                                sizeof(additional_swms[0]));
        if (!additional_swms)
                return WIMLIB_ERR_NOMEM;
 
@@ -188,6 +189,7 @@ wimlib_join(const tchar * const *swm_names,
        }
 
        if (!swm0) {
+               ERROR("Part 1 of the split WIM was not specified!");
                ret = WIMLIB_ERR_SPLIT_INVALID;
                goto out_free_swms;
        }
@@ -210,7 +212,7 @@ wimlib_join(const tchar * const *swm_names,
                           wim_write_flags | WIMLIB_WRITE_FLAG_STREAMS_OK,
                           1, progress_func);
 out_free_swms:
-       for (i = 0; i < num_additional_swms; i++)
+       for (i = 0; i < num_additional_swms + 1; i++)
                wimlib_free(additional_swms[i]);
        FREE(additional_swms);
        wimlib_free(swm0);