From 2e13d4d050ab1eaea48af78b7d563fc86cbaec90 Mon Sep 17 00:00:00 2001
From: robertl <robertl@f51c46e8-681c-474f-0cfe-069cfd0219fb>
Date: Mon, 25 Nov 2002 01:01:39 +0000
Subject: [PATCH] 1) Clean up a number of memory overwrites exposed by running
 Garmin protocol under Windows that don't show up with efence on Linux.

2) Don't cross the ident and shortnames of the waypoints.

gpsapp.c) Correct loops for D108 and D109 that are looking at zero
   terminated strings when its own doc says that the input is NOT
   zero terminated strings.  (Why am I rapidly losing faith in jeeps?)

gpsmem.c) Initialize several more waypoint fields on startup.
---
 gpsbabel/garmin.c       | 19 +++++++++----------
 gpsbabel/jeeps/gpsapp.c | 39 ++++++++++++++++++++++++---------------
 gpsbabel/jeeps/gpsmem.c | 20 ++++++++++++++------
 3 files changed, 47 insertions(+), 31 deletions(-)

diff --git a/gpsbabel/garmin.c b/gpsbabel/garmin.c
index ce3049e23..a05dbe221 100644
--- a/gpsbabel/garmin.c
+++ b/gpsbabel/garmin.c
@@ -145,7 +145,7 @@ data_write(void)
 	extern int32 gps_save_id;
 	int short_length;
 
-	way = xmalloc(n*sizeof(*way));
+	way = xcalloc(n,sizeof(*way));
 
 	for (i = 0; i < n; i++) {
 		if(!((way)[i]=GPS_Way_New()))
@@ -203,7 +203,8 @@ data_write(void)
 	QUEUE_FOR_EACH(&waypt_head, elem, tmp) {
 		waypoint *wpt;
 		char *ident;
-		char *src;
+		char *src = NULL;
+		char *wptname;
 
 		wpt = (waypoint *) elem;
 
@@ -213,20 +214,18 @@ data_write(void)
 		ident = global_opts.synthesize_shortnames ? 
 				mkshort(src) : 
 				wpt->shortname;
-
 		strncpy(way[i]->ident,  ident, sizeof(way[i]->ident));
-		if (wpt->description) {
-			strncpy(way[i]->cmnt, wpt->description, 
-					sizeof(way[i]->cmnt));
-		} else {
-			way[i]->cmnt[0] = 0;
+		way[i]->ident[sizeof(way[i]->ident)-1] = 0;
+		if (src && strlen(src)) {
+			strncpy(way[i]->cmnt, src, sizeof(way[i]->cmnt));
 		}
 		way[i]->lon = wpt->position.longitude.degrees;
 		way[i]->lat = wpt->position.latitude.degrees;
-		way[i]->alt = wpt->position.altitude.altitude_meters;
+		if (wpt->position.altitude.altitude_meters != unknown_alt) {
+			way[i]->alt = wpt->position.altitude.altitude_meters;
+		}
 		i++;
 	}
-
 	if ((ret = GPS_Command_Send_Waypoint(portname, way, n)) < 0) {
 		fatal(MYNAME ":communication error sending wayoints..\n");
 	}
diff --git a/gpsbabel/jeeps/gpsapp.c b/gpsbabel/jeeps/gpsapp.c
index 4937ea1e0..898e0f50a 100644
--- a/gpsbabel/jeeps/gpsapp.c
+++ b/gpsbabel/jeeps/gpsapp.c
@@ -1839,17 +1839,23 @@ static void GPS_D108_Send(UC *data, GPS_PWay way, int32 *len)
 
 
     q = (UC *) way->ident;
-    while((*p++ = *q++));
+    i = sizeof(way->ident);
+    while((*p++ = *q++) && i--);
     q = (UC *) way->cmnt;
-    while((*p++ = *q++));
+    i = sizeof(way->cmnt);
+    while((*p++ = *q++) && i--);
     q = (UC *) way->facility;
-    while((*p++ = *q++));
+    i = sizeof(way->facility);
+    while((*p++ = *q++) && i--);
     q = (UC *) way->city;
-    while((*p++ = *q++));
+    i = sizeof(way->city);
+    while((*p++ = *q++) && i--);
     q = (UC *) way->addr;
-    while((*p++ = *q++));
+    i = sizeof(way->addr);
+    while((*p++ = *q++) && i--);
     q = (UC *) way->cross_road;
-    while((*p++ = *q++));
+    i = sizeof(way->cross_road);
+    while((*p++ = *q++) && i--);
     
     *len = p-data;
     
@@ -1875,7 +1881,6 @@ static void GPS_D109_Send(UC *data, GPS_PWay way, int32 *len)
     int32 i;
     
     p = data;
-
     *p++ = 1 /* way->wpt_class */;   	/* For D109, the class must be 1 */
     *p++ = 0 /* way->colour*/ ;		/* If non-zero, the waypoint is in 
 					   invisible ink on the V. */
@@ -1901,20 +1906,24 @@ static void GPS_D109_Send(UC *data, GPS_PWay way, int32 *len)
     for(i=0;i<4;++i) *p++ = 0xff; /* D109 silliness for ETE */
 
     q = (UC *) way->ident;
-    while((*p++ = *q++));
+    i = sizeof(way->ident);
+    while((*p++ = *q++) && i--);
     q = (UC *) way->cmnt;
-    while((*p++ = *q++));
+    i = sizeof(way->ident);
+    while((*p++ = *q++) && i--);
     q = (UC *) way->facility;
-    while((*p++ = *q++));
+    i = sizeof(way->facility);
+    while((*p++ = *q++) && i--);
     q = (UC *) way->city;
-    while((*p++ = *q++));
+    i = sizeof(way->city);
+    while((*p++ = *q++) && i--);
     q = (UC *) way->addr;
-    while((*p++ = *q++));
+    i = sizeof(way->addr);
+    while((*p++ = *q++) && i--);
     q = (UC *) way->cross_road;
-    while((*p++ = *q++));
-    
+    i = sizeof(way->cross_road);
+    while((*p++ = *q++) && i--);
     *len = p-data;
-    
     return;
 }
 
diff --git a/gpsbabel/jeeps/gpsmem.c b/gpsbabel/jeeps/gpsmem.c
index e2c83679c..35a95894e 100644
--- a/gpsbabel/jeeps/gpsmem.c
+++ b/gpsbabel/jeeps/gpsmem.c
@@ -232,18 +232,26 @@ GPS_PWay GPS_Way_New(void)
 	fflush(stderr);
 	return NULL;
     }
-
-    /* Mark all as "unused" */
+    /* 
+     * Mark all as "unused".  These appear in the same order as in struct.
+     * It's wretched that A) memset isn't used.  B) sizeof isn't used. C)
+     * The whole stupid structure isn't simply memsetted sanely. 
+     */
     for(i=0;i<6;++i) ret->ident[i]=' ';
-    for(i=0;i<2;++i) ret->cc[i]=' ';
-    for(i=0;i<18;++i) ret->subclass[i]=' ';
     for(i=0;i<40;++i) ret->cmnt[i]=' ';
+    for(i=0;i<256;++i) ret->wpt_ident[i]=' ';
+    for(i=0;i<256;++i) ret->lnk_ident[i]=' ';
+    for(i=0;i<18;++i) ret->subclass[i]=' ';
+    for(i=0;i<2;++i) ret->cc[i]=' ';
     for(i=0;i<24;++i) ret->city[i]=' ';
     for(i=0;i<2;++i) ret->state[i]=' ';
     for(i=0;i<30;++i) ret->name[i]=' ';
+    for(i=0;i<32;++i) ret->facility[i]=' ';
+    for(i=0;i<52;++i) ret->addr[i]=' ';
+    for(i=0;i<52;++i) ret->cross_road[i]=' ';
+    for(i=0;i<20;++i) ret->rte_cmnt[i]=' ';
+    for(i=0;i<256;++i) ret->rte_ident[i]=' ';
     for(i=0;i<18;++i) ret->rte_link_subclass[i]=' ';
-    for(i=0;i<256;++i) ret->wpt_ident[i]=' ';
-    for(i=0;i<256;++i) ret->lnk_ident[i]=' ';
     for(i=0;i<256;++i) ret->rte_link_ident[i]=' ';
     
     ret->dst = ret->lat = ret->lon = GPS_FLTMAX;
-- 
2.30.2