From f303b46312f8d8be4210fba66082d5a7572dbd70 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Mon, 28 Apr 2014 12:52:21 -0500 Subject: [PATCH 1/1] wimlib_join(): Fix buffer overrun when swm part 1 not specified Before checking for swm completeness, there can potentially be (num_additional_swms + 1) parts that are *not* part 1, so make the additional_swms array large enough. --- src/join.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/join.c b/src/join.c index b2125d13..8a0abe5d 100644 --- a/src/join.c +++ b/src/join.c @@ -169,7 +169,8 @@ wimlib_join(const tchar * const *swm_names, return WIMLIB_ERR_INVALID_PARAM; num_additional_swms = num_swms - 1; - additional_swms = CALLOC(num_additional_swms, sizeof(additional_swms[0])); + additional_swms = CALLOC((num_additional_swms + 1), + sizeof(additional_swms[0])); if (!additional_swms) return WIMLIB_ERR_NOMEM; @@ -188,6 +189,7 @@ wimlib_join(const tchar * const *swm_names, } if (!swm0) { + ERROR("Part 1 of the split WIM was not specified!"); ret = WIMLIB_ERR_SPLIT_INVALID; goto out_free_swms; } @@ -210,7 +212,7 @@ wimlib_join(const tchar * const *swm_names, wim_write_flags | WIMLIB_WRITE_FLAG_STREAMS_OK, 1, progress_func); out_free_swms: - for (i = 0; i < num_additional_swms; i++) + for (i = 0; i < num_additional_swms + 1; i++) wimlib_free(additional_swms[i]); FREE(additional_swms); wimlib_free(swm0); -- 2.43.0