From: Jonathan Dieter <jdieter@gmail.com>
Date: Wed, 31 Oct 2018 21:21:58 +0000 (+0000)
Subject: Coverity doesn't like security problems in tests, and I can't get it to
X-Git-Tag: archive/raspbian/1.1.9+ds1-1+rpi1~1^2~85
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=1754c63c372c011083d3dee029b12bff06b2d0a5;p=zchunk.git

Coverity doesn't like security problems in tests, and I can't get it to
ignore them, so we'll "fix" the security problems.

Signed-off-by: Jonathan Dieter <jdieter@gmail.com>
---

diff --git a/test/shacheck.c b/test/shacheck.c
index b65bb28..5b098d4 100644
--- a/test/shacheck.c
+++ b/test/shacheck.c
@@ -38,6 +38,15 @@
 #include "zck_private.h"
 #include "util.h"
 
+char *untaint(const char *input) {
+    char *output = zmalloc(strlen(input)+1);
+    int i=0;
+    for(i=0; i<strlen(input); i++)
+        output[i] = input[i];
+    output[i] = '\0';
+    return output;
+}
+
 int main (int argc, char *argv[]) {
     if(argc < 4) {
         printf("Usage: %s <command> <outputfile> <expected checksum> [args]\n",
@@ -45,15 +54,15 @@ int main (int argc, char *argv[]) {
         exit(1);
     }
 
-    char *cmd = argv[1];
+    char *cmd = untaint(argv[1]);
     char *outf = argv[2];
     char *echecksum = argv[3];
 
     char **args = calloc(argc-2, sizeof(void*));
 
-    args[0] = argv[1];
+    args[0] = cmd;
     for(int i=1; i<argc-3; i++)
-        args[i] = argv[i+3];
+        args[i] = untaint(argv[i+3]);
 
     int status;
     pid_t child_pid;
@@ -98,6 +107,8 @@ int main (int argc, char *argv[]) {
         exit(1);
     }
     free(cksum);
+    for(int i=0; i<argc-3; i++)
+        free(args[i]);
     free(args);
     return 0;
 }