From: James Turner Date: Sat, 14 Sep 2013 16:39:02 +0000 (+0100) Subject: Fix for CVE-2012-2091: X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=dab588c7895f5065f60e1a7756e00878fcdbbba3;p=flightgear.git Fix for CVE-2012-2091: add checks against buffer overruns CVE-2012-2091 mentions various buffer overruns in simgear and flightgear. This patch addresses this issue in Rotor::getValueforFGSet(). From: Tom Callaway --- diff --git a/src/FDM/YASim/Rotor.cpp b/src/FDM/YASim/Rotor.cpp index 46207027c..c22235814 100644 --- a/src/FDM/YASim/Rotor.cpp +++ b/src/FDM/YASim/Rotor.cpp @@ -273,7 +273,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f) if (4>numRotorparts()) return 0; //compile first! if (j==0) { - sprintf(text,"/rotors/%s/cone-deg", _name); + snprintf(text, 256, "/rotors/%s/cone-deg", _name); *f=(_balance1>-1)?( ((Rotorpart*)getRotorpart(0))->getrealAlpha() +((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha() +((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha() @@ -283,7 +283,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f) else if (j==1) { - sprintf(text,"/rotors/%s/roll-deg", _name); + snprintf(text, 256, "/rotors/%s/roll-deg", _name); _roll = ( ((Rotorpart*)getRotorpart(0))->getrealAlpha() -((Rotorpart*)getRotorpart(2*(_number_of_parts>>2)))->getrealAlpha() )/2*(_ccw?-1:1); @@ -292,7 +292,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f) else if (j==2) { - sprintf(text,"/rotors/%s/yaw-deg", _name); + snprintf(text, 256, "/rotors/%s/yaw-deg", _name); _yaw=( ((Rotorpart*)getRotorpart(1*(_number_of_parts>>2)))->getrealAlpha() -((Rotorpart*)getRotorpart(3*(_number_of_parts>>2)))->getrealAlpha() )/2; @@ -301,38 +301,38 @@ int Rotor::getValueforFGSet(int j,char *text,float *f) else if (j==3) { - sprintf(text,"/rotors/%s/rpm", _name); + snprintf(text, 256, "/rotors/%s/rpm", _name); *f=(_balance1>-1)?_omega/2/pi*60:0; } else if (j==4) { - sprintf(text,"/rotors/%s/tilt/pitch-deg",_name); + snprintf(text, 256, "/rotors/%s/tilt/pitch-deg",_name); *f=_tilt_pitch*180/pi; } else if (j==5) { - sprintf(text,"/rotors/%s/tilt/roll-deg",_name); + snprintf(text, 256, "/rotors/%s/tilt/roll-deg",_name); *f=_tilt_roll*180/pi; } else if (j==6) { - sprintf(text,"/rotors/%s/tilt/yaw-deg",_name); + snprintf(text, 256, "/rotors/%s/tilt/yaw-deg",_name); *f=_tilt_yaw*180/pi; } else if (j==7) { - sprintf(text,"/rotors/%s/balance", _name); + snprintf(text, 256, "/rotors/%s/balance", _name); *f=_balance1; } else if (j==8) { - sprintf(text,"/rotors/%s/stall",_name); + snprintf(text, 256, "/rotors/%s/stall",_name); *f=getOverallStall(); } else if (j==9) { - sprintf(text,"/rotors/%s/torque",_name); + snprintf(text, 256, "/rotors/%s/torque",_name); *f=-_torque;; } else @@ -343,7 +343,7 @@ int Rotor::getValueforFGSet(int j,char *text,float *f) return 0; } int w=j%3; - sprintf(text,"/rotors/%s/blade[%i]/%s", + snprintf(text, 256, "/rotors/%s/blade[%i]/%s", _name,b, w==0?"position-deg":(w==1?"flap-deg":"incidence-deg")); *f=((Rotorpart*)getRotorpart(0))->getPhi()*180/pi