void CWE426_Untrusted_Search_Path__wchar_t_popen_04_bad()
{
wchar_t * data;
wchar_t dataBuffer[100] = L"";
data = dataBuffer;
if(STATIC_CONST_TRUE)
{
/* FLAW: the full path is not specified */
wcscpy(data, BAD_OS_COMMAND);
}
{
FILE *pipe;
/* POTENTIAL FLAW: Executing the wpopen() function without specifying the full path to the executable
* can allow an attacker to run their own program */
pipe = POPEN(data, L"wb");
if (pipe != NULL)
{
PCLOSE(pipe);
}
}
}
void CWE426_Untrusted_Search_Path__char_popen_09_bad()
{
char * data;
char dataBuffer[100] = "";
data = dataBuffer;
if(GLOBAL_CONST_TRUE)
{
/* FLAW: the full path is not specified */
strcpy(data, BAD_OS_COMMAND);
}
{
FILE *pipe;
/* POTENTIAL FLAW: Executing the popen() function without specifying the full path to the executable
* can allow an attacker to run their own program */
pipe = POPEN(data, "wb");
if (pipe != NULL)
{
PCLOSE(pipe);
}
}
}
/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */
static void goodG2B()
{
int h;
char * data;
char data_buf[100] = FULL_COMMAND;
data = data_buf;
for(h = 0; h < 1; h++)
{
/* FIX: Append a fixed string to data (not user / external input) */
strcat(data, "*.*");
}
{
FILE *pipe;
/* POTENTIAL FLAW: Execute command in data possibly leading to command injection */
pipe = POPEN(data, "wb");
if (pipe != NULL)
{
PCLOSE(pipe);
}
}
}
/* goodG2B() uses the GoodSource with the BadSink */
static void goodG2B()
{
wchar_t * data;
wchar_t * &dataRef = data;
wchar_t data_buf[100] = FULL_COMMAND;
data = data_buf;
/* FIX: Append a fixed string to data (not user / external input) */
wcscat(data, L"*.*");
{
wchar_t * data = dataRef;
{
FILE *pipe;
/* POTENTIAL FLAW: Execute command in data possibly leading to command injection */
pipe = POPEN(data, L"wb");
if (pipe != NULL)
{
PCLOSE(pipe);
}
}
}
}
/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
static void goodG2B2()
{
wchar_t * data;
wchar_t dataBuffer[100] = L"";
data = dataBuffer;
if(GLOBAL_CONST_TRUE)
{
/* FIX: full path is specified */
wcscpy(data, GOOD_OS_COMMAND);
}
{
FILE *pipe;
/* POTENTIAL FLAW: Executing the wpopen() function without specifying the full path to the executable
* can allow an attacker to run their own program */
pipe = POPEN(data, L"wb");
if (pipe != NULL)
{
PCLOSE(pipe);
}
}
}
void CWE78_OS_Command_Injection__wchar_t_file_popen_16_bad()
{
wchar_t * data;
wchar_t data_buf[100] = FULL_COMMAND;
data = data_buf;
while(1)
{
{
/* Read input from a file */
size_t dataLen = wcslen(data);
FILE * pFile;
/* if there is room in data, attempt to read the input from a file */
if (100-dataLen > 1)
{
pFile = fopen(FILENAME, "r");
if (pFile != NULL)
{
/* POTENTIAL FLAW: Read data from a file */
if (fgetws(data+dataLen, (int)(100-dataLen), pFile) == NULL)
{
printLine("fgetws() failed");
/* Restore NUL terminator if fgetws fails */
data[dataLen] = L'\0';
}
fclose(pFile);
}
}
}
break;
}
{
FILE *pipe;
/* POTENTIAL FLAW: Execute command in data possibly leading to command injection */
pipe = POPEN(data, L"wb");
if (pipe != NULL)
{
PCLOSE(pipe);
}
}
}
void bad()
{
char * data;
char * &dataRef = data;
char data_buf[100] = FULL_COMMAND;
data = data_buf;
{
/* Read input from a file */
size_t dataLen = strlen(data);
FILE * pFile;
/* if there is room in data, attempt to read the input from a file */
if (100-dataLen > 1)
{
pFile = fopen(FILENAME, "r");
if (pFile != NULL)
{
/* POTENTIAL FLAW: Read data from a file */
if (fgets(data+dataLen, (int)(100-dataLen), pFile) == NULL)
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
data[dataLen] = '\0';
}
fclose(pFile);
}
}
}
{
char * data = dataRef;
{
FILE *pipe;
/* POTENTIAL FLAW: Execute command in data possibly leading to command injection */
pipe = POPEN(data, "wb");
if (pipe != NULL)
{
PCLOSE(pipe);
}
}
}
}
/* goodG2B() uses the GoodSource with the BadSink */
static void goodG2B()
{
char * data;
CWE78_OS_Command_Injection__char_listen_socket_popen_34_unionType myUnion;
char data_buf[100] = FULL_COMMAND;
data = data_buf;
/* FIX: Append a fixed string to data (not user / external input) */
strcat(data, "*.*");
myUnion.unionFirst = data;
{
char * data = myUnion.unionSecond;
{
FILE *pipe;
/* POTENTIAL FLAW: Execute command in data possibly leading to command injection */
pipe = POPEN(data, "wb");
if (pipe != NULL)
{
PCLOSE(pipe);
}
}
}
}
/* goodG2B() uses the GoodSource with the BadSink */
static void goodG2B()
{
wchar_t * data;
CWE426_Untrusted_Search_Path__wchar_t_popen_34_unionType myUnion;
wchar_t dataBuffer[100] = L"";
data = dataBuffer;
/* FIX: full path is specified */
wcscpy(data, GOOD_OS_COMMAND);
myUnion.unionFirst = data;
{
wchar_t * data = myUnion.unionSecond;
{
FILE *pipe;
/* POTENTIAL FLAW: Executing the wpopen() function without specifying the full path to the executable
* can allow an attacker to run their own program */
pipe = POPEN(data, L"wb");
if (pipe != NULL)
{
PCLOSE(pipe);
}
}
}
}
char *http_async_req_stop(void *ctx, int *ret, int *len)
{
struct http_ctx *cx = ctx;
char *rxd;
if (cx->state != HTS_DONE)
while (!http_async_req_status(ctx)) ;
if (cx->host)
{
free(cx->host);
cx->host = NULL;
}
if (cx->path)
{
free(cx->path);
cx->path = NULL;
}
if (cx->txd)
{
free(cx->txd);
cx->txd = NULL;
cx->txdl = 0;
}
if (cx->hbuf)
{
free(cx->hbuf);
cx->hbuf = NULL;
}
if (cx->thdr)
{
free(cx->thdr);
cx->thdr = NULL;
cx->thlen = 0;
}
if (ret)
*ret = cx->ret;
if (len)
*len = cx->rptr;
if (cx->rbuf)
cx->rbuf[cx->rptr] = 0;
rxd = cx->rbuf;
cx->rbuf = NULL;
cx->rlen = 0;
cx->rptr = 0;
cx->contlen = 0;
if (!cx->keep)
http_async_req_close(ctx);
else if (cx->cclose)
{
PCLOSE(cx->fd);
cx->fd = PERROR;
if (cx->fdhost)
{
free(cx->fdhost);
cx->fdhost = NULL;
}
cx->state = HTS_STRT;
}
else
cx->state = HTS_IDLE;
return rxd;
}
void *http_async_req_start(void *ctx, char *uri, char *data, int dlen, int keep)
{
struct http_ctx *cx = ctx;
if (!ctx)
{
ctx = calloc(1, sizeof(struct http_ctx));
cx = ctx;
cx->fd = PERROR;
}
if (!cx->hbuf)
{
cx->hbuf = malloc(256);
cx->hlen = 256;
}
if (!http_up)
{
cx->ret = 604;
cx->state = HTS_DONE;
return ctx;
}
if (cx->state!=HTS_STRT && cx->state!=HTS_IDLE)
{
fprintf(stderr, "HTTP: unclean request restart state.\n");
exit(1);
}
cx->keep = keep;
cx->ret = 600;
if (splituri(uri, &cx->host, &cx->path))
{
cx->ret = 601;
cx->state = HTS_DONE;
return ctx;
}
if (http_use_proxy)
{
free(cx->path);
cx->path = mystrdup(uri);
}
if (cx->fdhost && strcmp(cx->host, cx->fdhost))
{
free(cx->fdhost);
cx->fdhost = NULL;
PCLOSE(cx->fd);
cx->fd = PERROR;
cx->state = HTS_STRT;
}
if (data)
{
if (!dlen)
dlen = strlen(data);
cx->txd = malloc(dlen);
memcpy(cx->txd, data, dlen);
cx->txdl = dlen;
}
else
cx->txdl = 0;
cx->contlen = 0;
cx->chunked = 0;
cx->chunkhdr = 0;
cx->rxtogo = 0;
cx->cclose = 0;
cx->tptr = 0;
cx->tlen = 0;
cx->last = time(NULL);
return ctx;
}
void CWE78_OS_Command_Injection__wchar_t_listen_socket_popen_13_bad()
{
wchar_t * data;
wchar_t data_buf[100] = FULL_COMMAND;
data = data_buf;
if(GLOBAL_CONST_FIVE==5)
{
{
#ifdef _WIN32
WSADATA wsaData;
int wsaDataInit = 0;
#endif
int recvResult;
struct sockaddr_in service;
wchar_t *replace;
SOCKET listenSocket = INVALID_SOCKET;
SOCKET acceptSocket = INVALID_SOCKET;
size_t dataLen = wcslen(data);
do
{
#ifdef _WIN32
if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
{
break;
}
wsaDataInit = 1;
#endif
/* POTENTIAL FLAW: Read data using a listen socket */
listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (listenSocket == INVALID_SOCKET)
{
break;
}
memset(&service, 0, sizeof(service));
service.sin_family = AF_INET;
service.sin_addr.s_addr = INADDR_ANY;
service.sin_port = htons(TCP_PORT);
if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
{
break;
}
if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)
{
break;
}
acceptSocket = accept(listenSocket, NULL, NULL);
if (acceptSocket == SOCKET_ERROR)
{
break;
}
/* Abort on error or the connection was closed */
recvResult = recv(acceptSocket, (char *)(data + dataLen), sizeof(wchar_t) * (100 - dataLen - 1), 0);
if (recvResult == SOCKET_ERROR || recvResult == 0)
{
break;
}
/* Append null terminator */
data[dataLen + recvResult / sizeof(wchar_t)] = L'\0';
/* Eliminate CRLF */
replace = wcschr(data, L'\r');
if (replace)
{
*replace = L'\0';
}
replace = wcschr(data, L'\n');
if (replace)
{
*replace = L'\0';
}
}
while (0);
if (listenSocket != INVALID_SOCKET)
{
CLOSE_SOCKET(listenSocket);
}
if (acceptSocket != INVALID_SOCKET)
{
CLOSE_SOCKET(acceptSocket);
}
#ifdef _WIN32
if (wsaDataInit)
{
WSACleanup();
}
#endif
}
}
{
FILE *pipe;
/* POTENTIAL FLAW: Execute command in data possibly leading to command injection */
pipe = POPEN(data, L"wb");
if (pipe != NULL)
{
PCLOSE(pipe);
}
}
}
static void
CalcReplayGain ( const char* filename, gain_info_t* G )
{
FILE* fp;
float buffl [NO];
float buffr [NO];
Int16_t buff [NO] [2];
size_t i;
size_t len;
size_t lastlen = 0;
unsigned int max = 0;
float level;
float mult;
if ((fp = pipeopen ( "mppdec --silent --scale 0.5 --gain 0 --raw - - < #", filename)) == NULL) {
stderr_printf ( "Can't decode '%s'\n", filename );
exit (9);
}
memset ( buff, 0, sizeof(buff) );
G->Silence = 0;
lastlen = len = fread (buff, 4, NO, fp);
for ( i = 0; i < len; i++ ) {
buffl [i] = 2. * buff [i] [0];
buffr [i] = 2. * buff [i] [1];
if ( abs(buff[i][0]) > max ) max = abs(buff[i][0]);
if ( abs(buff[i][1]) > max ) max = abs(buff[i][1]);
}
AnalyzeSamples ( buffl, buffr, len, 2 );
level = 0.;
mult = 1.;
for ( i = 0; i < len; i++ ) {
level += mult * (buff [i] [0] * buff [i] [0] + buff [i] [1] * buff [i] [1]);
mult *= 0.95;
}
level = 2*sqrt(level * 0.05);
if ( level > LEVEL_THR )
G->Silence |= 2;
sh ( NULL, level );
while (( len = fread (buff, 4, NO, fp) ) > 0 ) {
lastlen = len;
for ( i = 0; i < len; i++ ) {
buffl [i] = 2. * buff [i] [0];
buffr [i] = 2. * buff [i] [1];
if ( abs(buff[i][0]) > max ) max = abs(buff[i][0]);
if ( abs(buff[i][1]) > max ) max = abs(buff[i][1]);
}
AnalyzeSamples ( buffl, buffr, len, 2 );
}
level = 0.;
mult = 1.;
for ( i = 1; i <= NO; i++ ) {
int idx = (lastlen + NO - i) % NO;
level += mult * (buff [idx] [0] * buff [idx] [0] + buff [idx] [1] * buff [idx] [1]);
mult *= 0.95;
}
level = 2*sqrt(level * 0.05);
if ( level > LEVEL_THR )
G->Silence |= 1;
sh(filename,level);
PCLOSE (fp);
#if 0
GetTitleDynamics ();
#endif
G -> FileName = filename;
G -> TitleGain = GetTitleGain ();
G -> TitlePeak = 2 * max + 1;
G -> AlbumGain = GetAlbumGain ();
G -> AlbumPeak = G->AlbumPeak < G->TitlePeak ? G->TitlePeak : G->AlbumPeak;
return;
}
void CWE78_OS_Command_Injection__char_connect_socket_popen_09_bad()
{
char * data;
char data_buf[100] = FULL_COMMAND;
data = data_buf;
if(GLOBAL_CONST_TRUE)
{
{
#ifdef _WIN32
WSADATA wsaData;
int wsaDataInit = 0;
#endif
int recvResult;
struct sockaddr_in service;
char *replace;
SOCKET connectSocket = INVALID_SOCKET;
size_t dataLen = strlen(data);
do
{
#ifdef _WIN32
if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
{
break;
}
wsaDataInit = 1;
#endif
/* POTENTIAL FLAW: Read data using a connect socket */
connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (connectSocket == INVALID_SOCKET)
{
break;
}
memset(&service, 0, sizeof(service));
service.sin_family = AF_INET;
service.sin_addr.s_addr = inet_addr(IP_ADDRESS);
service.sin_port = htons(TCP_PORT);
if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
{
break;
}
/* Abort on error or the connection was closed, make sure to recv one
* less char than is in the recv_buf in order to append a terminator */
/* Abort on error or the connection was closed */
recvResult = recv(connectSocket, (char *)(data + dataLen), sizeof(char) * (100 - dataLen - 1), 0);
if (recvResult == SOCKET_ERROR || recvResult == 0)
{
break;
}
/* Append null terminator */
data[dataLen + recvResult / sizeof(char)] = '\0';
/* Eliminate CRLF */
replace = strchr(data, '\r');
if (replace)
{
*replace = '\0';
}
replace = strchr(data, '\n');
if (replace)
{
*replace = '\0';
}
}
while (0);
if (connectSocket != INVALID_SOCKET)
{
CLOSE_SOCKET(connectSocket);
}
#ifdef _WIN32
if (wsaDataInit)
{
WSACleanup();
}
#endif
}
}
{
FILE *pipe;
/* POTENTIAL FLAW: Execute command in data possibly leading to command injection */
pipe = POPEN(data, "wb");
if (pipe != NULL)
{
PCLOSE(pipe);
}
}
}
int
main(int argc, const char **argv)
{
int res = 0;
int optCount = 0;
dbgIn = stdin;
conOut = stdout;
(void)conIn;
(void)dbgOut;
memset(&cache, 0, sizeof(LIST));
memset(&sources, 0, sizeof(LIST));
stat_clear(&summ);
memset(&revinfo, 0, sizeof(REVINFO));
clearLastLine();
optionInit(argc, argv);
optCount = optionParse(argc, argv);
if (optCount < 0)
{
return optCount;
}
argc -= optCount;
if (opt_Revision && (strcmp(opt_Revision, "update") == 0))
{
res = updateSvnlog();
return res;
}
if (check_directory(opt_force))
return 3;
create_cache(opt_force, 0);
if (opt_exit)
return 0;
read_cache();
l2l_dbg(4, "Cache read complete\n");
if (set_LogFile(&logFile))
return 2;
l2l_dbg(4, "opt_logFile processed\n");
if (opt_Pipe)
{
l2l_dbg(3, "Command line: \"%s\"\n",opt_Pipe);
if (!(dbgIn = POPEN(opt_Pipe, "r")))
{
dbgIn = stdin; //restore
l2l_dbg(0, "Could not popen '%s' (%s)\n", opt_Pipe, strerror(errno));
free(opt_Pipe); opt_Pipe = NULL;
}
}
l2l_dbg(4, "opt_Pipe processed\n");
if (argc > 1)
{ // translate {<exefile> <offset>}
int i = 1;
const char *exefile = NULL;
const char *offset = NULL;
char Line[LINESIZE + 1];
while (i < argc)
{
Line[0] = '\0';
offset = argv[optCount + i++];
if (isOffset(offset))
{
if (exefile)
{
l2l_dbg(2, "translating %s %s\n", exefile, offset);
translate_file(exefile, my_atoi(offset), Line);
printf("%s\n", Line);
report(conOut);
}
else
{
l2l_dbg(0, "<exefile> expected\n");
res = 3;
break;
}
}
else
{
// Not an offset so must be an exefile:
exefile = offset;
}
}
}
else
{ // translate logging from stdin
translate_files(dbgIn, conOut);
}
if (logFile)
fclose(logFile);
if (opt_Pipe)
PCLOSE(dbgIn);
return res;
}
