From: Eric Biggers <ebiggers3@gmail.com>
Date: Sun, 3 Mar 2013 22:12:10 +0000 (-0600)
Subject: verify_swm_set():  Decrease scope of parts_to_swms
X-Git-Tag: v1.2.6~18
X-Git-Url: https://wimlib.net/git/?p=wimlib;a=commitdiff_plain;h=a3b232578372572ac1c6907219ea0c13e4b7e4ea

verify_swm_set():  Decrease scope of parts_to_swms
---

diff --git a/src/verify.c b/src/verify.c
index b6bdbe63..777a6e0c 100644
--- a/src/verify.c
+++ b/src/verify.c
@@ -314,48 +314,54 @@ int verify_swm_set(WIMStruct *w, WIMStruct **additional_swms,
 	ctype = wimlib_get_compression_type(w);
 	guid = w->hdr.guid;
 
-	WIMStruct *parts_to_swms[num_additional_swms];
-	ZERO_ARRAY(parts_to_swms);
-	for (unsigned i = 0; i < num_additional_swms; i++) {
+	{
+		/* parts_to_swms is not allocated at function scope because it
+		 * should only be allocated after num_additional_swms was
+		 * checked to be the same as w->hdr.total_parts.  Otherwise, it
+		 * could be unexpectedly high and cause a stack overflow. */
+		WIMStruct *parts_to_swms[num_additional_swms];
+		ZERO_ARRAY(parts_to_swms);
+		for (unsigned i = 0; i < num_additional_swms; i++) {
 
-		WIMStruct *swm = additional_swms[i];
+			WIMStruct *swm = additional_swms[i];
 
-		if (wimlib_get_compression_type(swm) != ctype) {
-			ERROR("The split WIMs do not all have the same "
-			      "compression type");
-			return WIMLIB_ERR_SPLIT_INVALID;
-		}
-		if (memcmp(guid, swm->hdr.guid, WIM_GID_LEN) != 0) {
-			ERROR("The split WIMs do not all have the same "
-			      "GUID");
-			return WIMLIB_ERR_SPLIT_INVALID;
-		}
-		if (swm->hdr.part_number == 1) {
-			ERROR("WIMs `%s' and `%s' both are marked as the "
-			      "first WIM in the spanned set",
-			      w->filename, swm->filename);
-			return WIMLIB_ERR_SPLIT_INVALID;
-		}
-		if (swm->hdr.part_number == 0 ||
-		    swm->hdr.part_number > total_parts)
-		{
-			ERROR("WIM `%s' says it is part %u in the spanned set, "
-			      "but the part number must be in the range "
-			      "[1, %u]",
-			      swm->filename, swm->hdr.part_number, total_parts);
-			return WIMLIB_ERR_SPLIT_INVALID;
-		}
-		if (parts_to_swms[swm->hdr.part_number - 2])
-		{
-			ERROR("`%s' and `%s' are both marked as part %u of %u "
-			      "in the spanned set",
-			      parts_to_swms[swm->hdr.part_number - 2]->filename,
-			      swm->filename,
-			      swm->hdr.part_number,
-			      total_parts);
-			return WIMLIB_ERR_SPLIT_INVALID;
-		} else {
-			parts_to_swms[swm->hdr.part_number - 2] = swm;
+			if (wimlib_get_compression_type(swm) != ctype) {
+				ERROR("The split WIMs do not all have the same "
+				      "compression type");
+				return WIMLIB_ERR_SPLIT_INVALID;
+			}
+			if (memcmp(guid, swm->hdr.guid, WIM_GID_LEN) != 0) {
+				ERROR("The split WIMs do not all have the same "
+				      "GUID");
+				return WIMLIB_ERR_SPLIT_INVALID;
+			}
+			if (swm->hdr.part_number == 1) {
+				ERROR("WIMs `%s' and `%s' both are marked as the "
+				      "first WIM in the spanned set",
+				      w->filename, swm->filename);
+				return WIMLIB_ERR_SPLIT_INVALID;
+			}
+			if (swm->hdr.part_number == 0 ||
+			    swm->hdr.part_number > total_parts)
+			{
+				ERROR("WIM `%s' says it is part %u in the spanned set, "
+				      "but the part number must be in the range "
+				      "[1, %u]",
+				      swm->filename, swm->hdr.part_number, total_parts);
+				return WIMLIB_ERR_SPLIT_INVALID;
+			}
+			if (parts_to_swms[swm->hdr.part_number - 2])
+			{
+				ERROR("`%s' and `%s' are both marked as part %u of %u "
+				      "in the spanned set",
+				      parts_to_swms[swm->hdr.part_number - 2]->filename,
+				      swm->filename,
+				      swm->hdr.part_number,
+				      total_parts);
+				return WIMLIB_ERR_SPLIT_INVALID;
+			} else {
+				parts_to_swms[swm->hdr.part_number - 2] = swm;
+			}
 		}
 	}
 	return 0;