* Fix a potential buffer overflow, UTF-8'ify session name in a previous unhandled case.

4ec49559 · Derk-Jan Hartman · 20acaecf · 4ec49559
Commit 4ec49559 authored Jun 28, 2006 by Derk-Jan Hartman
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 10 deletions

modules/services_discovery/sap.c modules/services_discovery/sap.c +13 -10

No files found.
--- a/modules/services_discovery/sap.c
+++ b/modules/services_discovery/sap.c
@@ -284,9 +284,6 @@ static int Open( vlc_object_t *p_this )
    services_discovery_sys_t *p_sys  = (services_discovery_sys_t *)
                                malloc( sizeof( services_discovery_sys_t ) );

-    playlist_view_t     *p_view;
-    vlc_value_t         val;
-
    p_sys->i_timeout = var_CreateGetInteger( p_sd, "sap-timeout" );

    p_sd->pf_run = Run;
@@ -579,7 +576,7 @@ static int Demux( demux_t *p_demux )
                                               FIND_ANYWHERE );

    /* TODO FIXME !! Add at the correct place */
-    playlist_PlaylistAdd( p_playlist, p_sdp->psz_uri, p_sdp->psz_sessionname,
+    playlist_PlaylistAdd( p_playlist, p_sdp->psz_uri, EnsureUTF8( p_sdp->psz_sessionname ),
                          PLAYLIST_APPEND, PLAYLIST_END );

    vlc_object_release( p_playlist );
@@ -602,6 +599,7 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
 {
    int                 i_version, i_address_type, i_hash, i;
    char                *psz_sdp, *psz_foo, *psz_initial_sdp;
+    uint8_t             *p_decompressed_buffer = NULL;
    sdp_t               *p_sdp;
    vlc_bool_t          b_compressed;
    vlc_bool_t          b_need_delete = VLC_FALSE;
@@ -668,16 +666,20 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
    if( b_compressed )
    {
 #ifdef HAVE_ZLIB_H
-        uint8_t *p_decompressed_buffer = NULL;
        int      i_decompressed_size;

        i_decompressed_size = Decompress( (uint8_t *)psz_sdp,
                   &p_decompressed_buffer, i_read - ( psz_sdp - (char *)p_buffer ) );
-        if( i_decompressed_size > 0 && i_decompressed_size < MAX_SAP_BUFFER )
+        if( i_decompressed_size > 0 )
        {
-            memcpy( psz_sdp, p_decompressed_buffer, i_decompressed_size );
+            psz_sdp = (char *)p_decompressed_buffer;
+            realloc( p_decompressed_buffer, i_decompressed_size++ );
            psz_sdp[i_decompressed_size] = '\0';
-            free( p_decompressed_buffer );
+        }
+        else
+        {
+            msg_Warn( p_sd, "decompression of sap packet failed" );
+            return VLC_EGENERIC;
        }
 #else
        msg_Warn( p_sd, "ignoring compressed sap packet" );
@@ -772,6 +774,7 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )

    CreateAnnounce( p_sd, i_hash, p_sdp );

+    FREE( p_decompressed_buffer );
    return VLC_SUCCESS;
 }

@@ -879,8 +882,8 @@ static char *GetAttribute( sdp_t *p_sdp, const char *psz_search )
 /* Fill p_sdp->psz_uri */
 static int ParseConnection( vlc_object_t *p_obj, sdp_t *p_sdp )
 {
-    char *psz_eof;
-    char *psz_parse;
+    char *psz_eof = NULL;
+    char *psz_parse = NULL;
    char *psz_uri = NULL;
    char *psz_proto = NULL;
    char psz_source[256];