[PATCH] Fix for recoverdm crash bug

[Aleksey Kravchenko <rhash.admin@gmail.com>]

Hello Folkert,

The package recoverdm in Debian has a bug [1]:
"recoverdm: mergebad crashes with exit status 139".

I've prepared a quick-fix patch for the problem, see attachment (also [2]).

Note, that Debian has also two more tiny patches [3] for recoverdm.

Please apply the fixes!

I'm sending this request by email, since recoverdm do not have a bugtracker. It would be great to place recoverdm on github, since users like it for precise and low-level operations on hardware ;)

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=716182

[2] https://salsa.debian.org/pkg-security-team/recoverdm/blob/debian/master/debian/patches/30-fix-BTS-mergebad-crash.patch

[3] https://salsa.debian.org/pkg-security-team/recoverdm/tree/debian/master/debian/patches

  Best wishes,

  Aleksey

Description: fix for crash of mergebad binary.
             The mergebad utility crashes when supplied a single '-s' argument.
             The patch adds checking the number of supplied arguments.
Author: Aleksey Kravchenko <rhash.admin@gmail.com>
Bug-Debian: http://bugs.debian.org/716182
Last-Update: 2019-01-15
diff --git a/mergebad.c b/mergebad.c
index 34a6ef7..9b1983c 100644
--- a/mergebad.c
+++ b/mergebad.c
@@ -250,6 +250,8 @@ void usage(void)
 	fprintf(stderr, "-h		This help.\n");
 }
 
+#define check_args_num(required_args_num) (!(arg_num_error = (loop + (required_args_num) >= argc)))
+
 int main(int argc, char *argv[])
 {
 	image *imgs = NULL;
@@ -259,12 +261,13 @@ int main(int argc, char *argv[])
 	off64_t offset = 0, length = 0;
 	char *map_file = NULL;
 	FILE *fh_map_file = NULL;
+	int arg_num_error = 0;
 
 	version();
 
 	for(loop=1; loop<argc; loop++)
 	{
-		if (strcmp(argv[loop], "-i") == 0)
+		if (strcmp(argv[loop], "-i") == 0 && check_args_num(2))
 		{
 			imgs = myrealloc(imgs, sizeof(image) * (n_imgs + 1), "image structure");
 
@@ -291,7 +294,7 @@ int main(int argc, char *argv[])
 
 			n_imgs++;
 		}
-		else if (strcmp(argv[loop], "-o") == 0)
+		else if (strcmp(argv[loop], "-o") == 0 && check_args_num(1))
 		{
 			fd_out = open64(argv[++loop], O_WRONLY | O_CREAT | O_EXCL | O_SYNC, S_IRUSR | S_IWUSR);
 			if (fd_out == -1)
@@ -306,11 +309,11 @@ int main(int argc, char *argv[])
 			if (verbose)
 				printf("Writing output to: %s\n", argv[loop]);
 		}
-		else if (strcmp(argv[loop], "-l") == 0)
+		else if (strcmp(argv[loop], "-l") == 0 && check_args_num(1))
 		{
 			map_file = argv[++loop];
 		}
-		else if (strcmp(argv[loop], "-s") == 0)
+		else if (strcmp(argv[loop], "-s") == 0 && check_args_num(1))
 		{
 			length = atoll(argv[++loop]);
 
@@ -328,7 +331,10 @@ int main(int argc, char *argv[])
 		}
 		else
 		{
-			fprintf(stderr, "Parameter '%s' is not recognized!\n", argv[loop]);
+			if (arg_num_error)
+				fprintf(stderr, "Not enough arguments for parameter '%s'!\n", argv[loop]);
+			else
+				fprintf(stderr, "Parameter '%s' is not recognized!\n", argv[loop]);
 			return 9;
 		}
 	}