From d5233adbf9b9061188ff2cc6e9b20ab5fd2408fc Mon Sep 17 00:00:00 2001
From: "Lay, Kuan Loon" <kuan.loon.lay@intel.com>
Date: Thu, 17 Dec 2015 14:53:44 +0800
Subject: [PATCH] iio.c: fix memory leak and out of bound array access issue

Fix memory leak in mraa_iio_update_channels() and mraa_iio_get_channel_data().
In mraa_iio_update_channels(), we add checking for out of bound array access.

Signed-off-by: Lay, Kuan Loon <kuan.loon.lay@intel.com>
Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com>
---
 src/iio/iio.c | 44 ++++++++++++++++++++++++--------------------
 1 file changed, 24 insertions(+), 20 deletions(-)
 mode change 100644 => 100755 src/iio/iio.c

diff --git a/src/iio/iio.c b/src/iio/iio.c
old mode 100644
new mode 100755
index da6dc59..d8b0546
--- a/src/iio/iio.c
+++ b/src/iio/iio.c
@@ -154,6 +154,7 @@ mraa_iio_get_channel_data(mraa_iio_context dev)
                 if (fd > 0) {
                     if (read(fd, readbuf, 2 * sizeof(char)) != 2) {
                         syslog(LOG_ERR, "iio: Failed to read a sensible value from sysfs");
+                        free(str);
                         return -1;
                     }
                     chan->enabled = (int) strtol(readbuf, NULL, 10);
@@ -577,29 +578,32 @@ mraa_iio_update_channels(mraa_iio_context dev)
                         break;
                     }
                     chan_num = ((int) strtol(readbuf, NULL, 10));
-                    chan = &dev->channels[chan_num];
-                    chan->index = chan_num;
-                    close(fd);
+                    if (chan_num >= 0 && chan_num < dev->chan_num) {
+                        chan = &dev->channels[chan_num];
+                        chan->index = chan_num;
+                        close(fd);
 
-                    buf[(strlen(buf) - 5)] = '\0';
-                    char* str = strdup(buf);
-                    // grab the enable flag of channel
-                    snprintf(buf, MAX_SIZE, "%sen", str);
-                    fd = open(buf, O_RDONLY);
-                    if (fd > 0) {
-                        if (read(fd, readbuf, 2 * sizeof(char)) != 2) {
-                            syslog(LOG_ERR, "iio: Failed to read a sensible value from sysfs");
-                            return -1;
+                        buf[(strlen(buf) - 5)] = '\0';
+                        char* str = strdup(buf);
+                        // grab the enable flag of channel
+                        snprintf(buf, MAX_SIZE, "%sen", str);
+                        fd = open(buf, O_RDONLY);
+                        if (fd > 0) {
+                            if (read(fd, readbuf, 2 * sizeof(char)) != 2) {
+                                syslog(LOG_ERR, "iio: Failed to read a sensible value from sysfs");
+                                free(str);
+                                return -1;
+                            }
+                            chan->enabled = (int) strtol(readbuf, NULL, 10);
+                            // only calculate enable buffer size for trigger buffer extract data
+                            if (chan->enabled) {
+                                dev->datasize += chan->bytes;
+                            }
+                            close(fd);
                         }
-                        chan->enabled = (int) strtol(readbuf, NULL, 10);
-                        // only calculate enable buffer size for trigger buffer extract data
-                        if (chan->enabled) {
-                            dev->datasize += chan->bytes;
-                        }
-                        close(fd);
+                        // clean up str var
+                        free(str);
                     }
-                    // clean up str var
-                    free(str);
                 }
             }
         }
-- 
2.7.4