CBL_COPY_FILE利用時の不正なメモリ参照

n-isaka · n-isaka · commit 283b3cecf194 · 2015-06-18T18:43:14.000+09:00
* CBL_COPY_FILE関数内で、free済みの領域を利用してファイルのReadを行っていたものを修正
* READ/WRITEのバッファサイズをsizeof(char*)でとっていたため、4 or 8byteでファイルの読み書きをしていた点も修正
diff --git a/libcob/fileio.c b/libcob/fileio.c
@@ -5119,6 +5119,7 @@ CBL_COPY_FILE (unsigned char *fname1, unsigned char *fname2)
 {
 	char	*fn1;
 	char	*fn2;
+	char	buf[COB_SMALL_BUFF];
 	int	flag = O_BINARY;
 	int	ret;
 	int	i;
@@ -5154,8 +5155,8 @@ CBL_COPY_FILE (unsigned char *fname1, unsigned char *fname2)
 	}
 	free (fn2);
 	ret = 0;
-	while ((i = read (fd1, fn1, sizeof(fn1))) > 0) {
-		if (write (fd2, fn1, (size_t)i) < 0) {
+	while ((i = read (fd1, buf, sizeof(buf))) > 0) {
+		if (write (fd2, buf, (size_t)i) < 0) {
 			ret = -1;
 			break;
 		}

Original file line number	Diff line number	Diff line change
`@@ -5119,6 +5119,7 @@ CBL_COPY_FILE (unsigned char fname1, unsigned char fname2)`
`5119`	`5119`	`{`
`5120`	`5120`	`char *fn1;`
`5121`	`5121`	`char *fn2;`
	`5122`	`+ char buf[COB_SMALL_BUFF];`
`5122`	`5123`	`int flag = O_BINARY;`
`5123`	`5124`	`int ret;`
`5124`	`5125`	`int i;`
`@@ -5154,8 +5155,8 @@ CBL_COPY_FILE (unsigned char fname1, unsigned char fname2)`
`5154`	`5155`	`}`
`5155`	`5156`	`free (fn2);`
`5156`	`5157`	`ret = 0;`
`5157`		`- while ((i = read (fd1, fn1, sizeof(fn1))) > 0) {`
`5158`		`- if (write (fd2, fn1, (size_t)i) < 0) {`
	`5158`	`+ while ((i = read (fd1, buf, sizeof(buf))) > 0) {`
	`5159`	`+ if (write (fd2, buf, (size_t)i) < 0) {`
`5159`	`5160`	`ret = -1;`
`5160`	`5161`	`break;`
`5161`	`5162`	`}`