commit 05c2de4c688ef34c80dc6df249acf0e661d5f23d
author Ayke van Laethem <aykevanlaethem@gmail.com> Fri Jun 02 00:19:27 2017 +0200
committer Ayke van Laethem <aykevanlaethem@gmail.com> Sat Jun 03 02:37:06 2017 +0200
tree ac7fca531c3964f350176460f00eb0d32ca98e31
parent 5073003302f677a9b7de1436c6304f156603d322

Fix various memory errors

There were a few memory errors while restoring a backup via adb (created
using `adb backup --twrp`).
On my device (S5 mini) it resulted in this error message:

  FORTIFY: strlen: prevented read past end of buffer

This commit fixes this issue and a few other potential issues.

Change-Id: I5022c94c961217238b3fefec0b2c4b8c6fa26ec7

adbbu/twrpback.cpp

diff --git a/adbbu/twrpback.cpp b/adbbu/twrpback.cpp
index c59fd1c..d9b973b 100644
--- a/adbbu/twrpback.cpp
+++ b/adbbu/twrpback.cpp
@@ -133,7 +133,12 @@
 		}
 	}
 
-	sprintf(operation, "adbbackup %s", command.c_str());
+	memset(operation, 0, sizeof(operation));
+	if (snprintf(operation, sizeof(operation), "adbbackup %s", command.c_str()) >= sizeof(operation)) {
+		adblogwrite("Operation too big to write to ORS_INPUT_FILE\n");
+		close_backup_fds();
+		return -1;
+	}
 	if (write(write_fd, operation, sizeof(operation)) != sizeof(operation)) {
 		adblogwrite("Unable to write to ORS_INPUT_FILE\n");
 		close_backup_fds();
@@ -173,8 +178,7 @@
 			struct AdbBackupControlType structcmd;
 
 			memcpy(&structcmd, cmd, sizeof(cmd));
-			std::string cmdstr(structcmd.type);
-			std::string cmdtype = cmdstr.substr(0, sizeof(structcmd.type) - 1);
+			std::string cmdtype = structcmd.get_type();
 
 			//we received an error, exit and unlink
 			if (cmdtype == TWERROR) {
@@ -396,7 +400,6 @@
 
 int twrpback::restore(void) {
 	twrpDigest adb_md5;
-	char cmd[MAX_ADB_READ];
 	char result[MAX_ADB_READ];
 	struct AdbBackupControlType structcmd;
 	int adb_control_twrp_fd, errctr = 0;
@@ -436,6 +439,7 @@
 		}
 	}
 
+	memset(operation, 0, sizeof(operation));
 	sprintf(operation, "adbrestore");
 	if (write(write_fd, operation, sizeof(operation)) != sizeof(operation)) {
 		adblogwrite("Unable to write to ORS_INPUT_FILE\n");
@@ -489,8 +493,7 @@
 		if (read(adb_control_bu_fd, &cmd, sizeof(cmd)) > 0) {
 			struct AdbBackupControlType structcmd;
 			memcpy(&structcmd, cmd, sizeof(cmd));
-			std::string cmdstr(structcmd.type);
-			std::string cmdtype = cmdstr.substr(0, sizeof(structcmd.type) - 1);
+			std::string cmdtype = structcmd.get_type();
 
 			//If we receive TWEOF from TWRP close adb data fifo
 			if (cmdtype == TWEOF) {
@@ -516,13 +519,11 @@
 		}
 		//If we should read from the adb stream, write commands and data to TWRP
 		if (read_from_adb) {
-			std::string cmdstr;
 			int readbytes;
 			if ((readbytes = fread(result, 1, sizeof(result), adbd_fp)) == sizeof(result)) {
 				totalbytes += readbytes;
 				memcpy(&structcmd, result, sizeof(result));
-				cmdstr = structcmd.type;
-				std::string cmdtype = cmdstr.substr(0, sizeof(structcmd.type) - 1);
+				std::string cmdtype = structcmd.get_type();
 
 				//Tell TWRP we have read the entire adb stream
 				if (cmdtype == TWENDADB) {
@@ -663,9 +664,9 @@
 						}
 						totalbytes += readbytes;
 						memcpy(&structcmd, result, sizeof(result));
-						cmdstr = structcmd.type;
+						std::string cmdtype = structcmd.get_type();
 
-						if (cmdstr.substr(0, sizeof(MD5TRAILER) - 1) == MD5TRAILER) {
+						if (cmdtype.substr(0, sizeof(MD5TRAILER) - 1) == MD5TRAILER) {
 							struct AdbBackupFileTrailer md5tr;
 							uint32_t crc, md5trcrc, md5ident, md5identmatch;
 
@@ -778,6 +779,12 @@
 		return -1;
 	}
 
+	if (argc <= 1) {
+		tw.adblogwrite("No parameters given, exiting...\n");
+		tw.close_restore_fds();
+		return -1;
+	}
+
 	command = argv[1];
 	for (index = 2; index < argc; index++) {
 		command = command + " " + argv[index];