citrus_mapper_646 multiple bugs (but as it happens work fine)

auditing following code:

100 #define T_COMM '#'
101 static int
102 parse_file(struct _citrus_mapper_646 *m6, const char *path)
103 {
...
109         char buf[PATH_MAX];
...
129                 snprintf(buf, sizeof(buf), "%.*s", (int)len, p);
130                 m6->m6_map[i] = strtoul(buf, (char **)&p, 0);
131                 p = _bcs_skip_ws(buf);
132                 if (*p != T_COMM && !*p) {
133                         ret = EINVAL;
134                         break;
135                 }

line 109: this buffer is for one-line for file, PATH_MAX is not suitable for this purpose.
line 129: line truncate by snprintf(3) doesn't handled, and use memcpy(3) is better.
line 130: don't use strtoul(3), use _bcs_strtoul() here.
_index_t limit max UINT32_MAX, so 32bit's arch cant detect strtoul's overflow ULONG_MAX or UINT32_MAX.
line 131: _bcs_skip_ws( buf ) is wrong, _bcs_skip_ws( p ) is correct.
line 132: *p != T_COMM && !*p is wrong, *p != T_COMM || !*p) is correct.

Comments (10)