From: Eric Biggers <ebiggers3@gmail.com>
Date: Mon, 28 Apr 2014 17:52:21 +0000 (-0500)
Subject: wimlib_join():  Fix buffer overrun when swm part 1 not specified
X-Git-Tag: v1.7.0~249
X-Git-Url: https://wimlib.net/git/?p=wimlib;a=commitdiff_plain;h=f303b46312f8d8be4210fba66082d5a7572dbd70;hp=74d4d4b70eda3ab6e5f30e9d8c019034ce8fba15

wimlib_join():  Fix buffer overrun when swm part 1 not specified

Before checking for swm completeness, there can potentially be
(num_additional_swms + 1) parts that are *not* part 1, so make the
additional_swms array large enough.
---

diff --git a/src/join.c b/src/join.c
index b2125d13..8a0abe5d 100644
--- a/src/join.c
+++ b/src/join.c
@@ -169,7 +169,8 @@ wimlib_join(const tchar * const *swm_names,
 		return WIMLIB_ERR_INVALID_PARAM;
 	num_additional_swms = num_swms - 1;
 
-	additional_swms = CALLOC(num_additional_swms, sizeof(additional_swms[0]));
+	additional_swms = CALLOC((num_additional_swms + 1),
+				 sizeof(additional_swms[0]));
 	if (!additional_swms)
 		return WIMLIB_ERR_NOMEM;
 
@@ -188,6 +189,7 @@ wimlib_join(const tchar * const *swm_names,
 	}
 
 	if (!swm0) {
+		ERROR("Part 1 of the split WIM was not specified!");
 		ret = WIMLIB_ERR_SPLIT_INVALID;
 		goto out_free_swms;
 	}
@@ -210,7 +212,7 @@ wimlib_join(const tchar * const *swm_names,
 			   wim_write_flags | WIMLIB_WRITE_FLAG_STREAMS_OK,
 			   1, progress_func);
 out_free_swms:
-	for (i = 0; i < num_additional_swms; i++)
+	for (i = 0; i < num_additional_swms + 1; i++)
 		wimlib_free(additional_swms[i]);
 	FREE(additional_swms);
 	wimlib_free(swm0);