Address some security concerns in the cgpt tool.

cgpt/cmd_find.c

 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "cgpt.h"
 
 #include <getopt.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ skipping 142 matching lines @@
 
 // This returns true if a GPT partition matches the search criteria. If a match
 // isn't found (or if the file doesn't contain a GPT), it returns false. The
 // filename and partition number that matched is left in a global, since we
 // could have multiple hits.
 static int do_search(char *filename) {
   int retval = 0;
   int i;
   struct drive drive;
   GptEntry *entry;
-  char partlabel[sizeof(entry->name) * 3 / 2];
+  char partlabel[GPT_PARTNAME_LEN];
 
   if (CGPT_OK != DriveOpen(filename, &drive))
     return 0;
 
   if (GPT_SUCCESS != GptSanityCheck(&drive.gpt)) {
     (void) DriveClose(&drive, 0);
     return 0;
   }
 
   for (i = 0; i < GetNumberOfEntries(&drive.gpt); ++i) {
     entry = GetEntry(&drive.gpt, PRIMARY, i);
 
     if (IsZero(&entry->type))
       continue;
 
     int found = 0;
     if ((set_unique && !memcmp(&unique_guid, &entry->unique, sizeof(Guid))) ||
         (set_type && !memcmp(&type_guid, &entry->type, sizeof(Guid)))) {
       found = 1;
     } else if (set_label) {
-      UTF16ToUTF8(entry->name, (uint8_t *)partlabel);
+      UTF16ToUTF8(entry->name, sizeof(entry->name) / sizeof(entry->name[0]),
+                  (uint8_t *)partlabel, sizeof(partlabel));
       if (!strncmp(label, partlabel, sizeof(partlabel))) {
         found = 1;
       }
     }
     if (found && match_content(&drive, entry)) {
       hits++;
       retval++;
       showmatch(filename, i+1, entry);
       if (!match_partnum) {
         match_partnum = i+1;
@@ skipping 48 matching lines @@
 
   return 0;
 }
 
 
 // This scans all the physical devices it can find, looking for a match. It
 // returns true if any matches were found, false otherwise.
 static int scan_real_devs(void) {
   int found = 0;
   char line[BUFSIZE];
-  char partname[128];
+  char partname[128];                   // max size for /proc/partition lines?
   FILE *fp;
   char *pathname;
 
   fp = fopen(PROC_PARTITIONS, "r");
   if (!fp) {
     perror("can't read " PROC_PARTITIONS);
     return found;
   }
 
   while (fgets(line, sizeof(line), fp)) {
     int ma, mi;
     long long unsigned int sz;
 
-    if (sscanf(line, " %d %d %llu %128[^\n ]", &ma, &mi, &sz, partname) != 4)
+    if (sscanf(line, " %d %d %llu %127[^\n ]", &ma, &mi, &sz, partname) != 4)
       continue;
 
     if ((pathname = is_wholedev(partname))) {
       if (do_search(pathname)) {
         found++;
       }
     }
   }
 
   fclose(fp);
@@ skipping 98 matching lines @@
   if (oneonly && hits != 1) {
     return CGPT_FAILED;
   }
 
   if (match_partnum) {
     return CGPT_OK;
   }
 
   return CGPT_FAILED;
 }