The evaluation of option -c is incorrect:
According to the C99 standard endptr in the first strtol is always set as &endptr is not NULL. So the first part of the or condition is always true. If all digits in optarg are valid endptr will point to the closing \0 and the second strtol will read beyond the end of the string optarg points to.
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de --- v2: Simplify the logical expression. v1: In the original patch I missed that envptr is always set in strtol and used an unnecessary check if endptr is non-NULL. [PATCH 1/1] tools: sunxi: avoid possible null pointer dereference https://patchwork.ozlabs.org/patch/758224/ --- tools/sunxi-spl-image-builder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/sunxi-spl-image-builder.c b/tools/sunxi-spl-image-builder.c index d538a38813..a367f11774 100644 --- a/tools/sunxi-spl-image-builder.c +++ b/tools/sunxi-spl-image-builder.c @@ -433,7 +433,7 @@ int main(int argc, char **argv) break; case 'c': info.ecc_strength = strtol(optarg, &endptr, 0); - if (endptr || *endptr == '/') + if (*endptr == '/') info.ecc_step_size = strtol(endptr + 1, NULL, 0); break; case 'p':