Commit 9029e6b6 authored by Clément Stenac's avatar Clément Stenac

hopefully fix SAP crash

some more size verifications
parent 12b32fc2
...@@ -587,10 +587,12 @@ static int Control( demux_t *p_demux, int i_query, va_list args ) ...@@ -587,10 +587,12 @@ static int Control( demux_t *p_demux, int i_query, va_list args )
* Local functions * Local functions
**************************************************************/ **************************************************************/
/* i_read is at least > 6 */
static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read ) static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
{ {
int i_version, i_address_type, i_hash, i; int i_version, i_address_type, i_hash, i;
uint8_t *psz_sdp; uint8_t *psz_sdp;
uint8_t *psz_initial_sdp;
sdp_t *p_sdp; sdp_t *p_sdp;
vlc_bool_t b_compressed; vlc_bool_t b_compressed;
vlc_bool_t b_need_delete = VLC_FALSE; vlc_bool_t b_need_delete = VLC_FALSE;
...@@ -638,14 +640,25 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read ) ...@@ -638,14 +640,25 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
} }
psz_sdp = &p_buffer[4]; psz_sdp = &p_buffer[4];
psz_initial_sdp = psz_sdp;
if( i_address_type == 0 ) /* ipv4 source address */ if( i_address_type == 0 ) /* ipv4 source address */
{ {
psz_sdp += 4; psz_sdp += 4;
if( i_read <= 9 )
{
msg_Warn( p_sd,"too short SAP packet\n" );
return VLC_EGENERIC;
}
} }
else /* ipv6 source address */ else /* ipv6 source address */
{ {
psz_sdp += 16; psz_sdp += 16;
if( i_read <= 21 )
{
msg_Warn( p_sd,"too short SAP packet\n" );
return VLC_EGENERIC;
}
} }
if( b_compressed ) if( b_compressed )
...@@ -666,12 +679,21 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read ) ...@@ -666,12 +679,21 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
} }
/* Add the size of authentification info */ /* Add the size of authentification info */
if( i_read < p_buffer[1] + (psz_sdp - psz_initial_sdp ) )
{
msg_Warn( p_sd, "too short SAP packet\n");
return VLC_EGENERIC;
}
psz_sdp += p_buffer[1]; psz_sdp += p_buffer[1];
/* Skip payload type */ /* Skip payload type */
/* Handle announces without \0 between SAP and SDP */ /* Handle announces without \0 between SAP and SDP */
while( *psz_sdp != '\0' && ( psz_sdp[0] != 'v' && psz_sdp[1] != '=' ) ) while( *psz_sdp != '\0' && ( psz_sdp[0] != 'v' && psz_sdp[1] != '=' ) )
{ {
if( psz_sdp - psz_initial_sdp >= i_read - 5 )
{
msg_Warn( p_sd, "empty SDP ?");
}
psz_sdp++; psz_sdp++;
} }
...@@ -680,7 +702,6 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read ) ...@@ -680,7 +702,6 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
psz_sdp++; psz_sdp++;
} }
/* Parse SDP info */ /* Parse SDP info */
p_sdp = ParseSDP( VLC_OBJECT(p_sd), psz_sdp ); p_sdp = ParseSDP( VLC_OBJECT(p_sd), psz_sdp );
......
...@@ -226,7 +226,6 @@ int playlist_AddItem( playlist_t *p_playlist, playlist_item_t *p_item, ...@@ -226,7 +226,6 @@ int playlist_AddItem( playlist_t *p_playlist, playlist_item_t *p_item,
p_add->i_view = VIEW_SIMPLE; p_add->i_view = VIEW_SIMPLE;
val.p_address = p_add; val.p_address = p_add;
var_Set( p_playlist, "item-append", val ); var_Set( p_playlist, "item-append", val );
} }
else else
{ {
......
...@@ -401,6 +401,7 @@ int playlist_NodeInsert( playlist_t *p_playlist, ...@@ -401,6 +401,7 @@ int playlist_NodeInsert( playlist_t *p_playlist,
if( !p_parent || p_parent->i_children == -1 ) if( !p_parent || p_parent->i_children == -1 )
{ {
msg_Err( p_playlist, "invalid node" ); msg_Err( p_playlist, "invalid node" );
return VLC_EGENERIC;
} }
if( i_position == -1 ) i_position = p_parent->i_children ; if( i_position == -1 ) i_position = p_parent->i_children ;
...@@ -516,11 +517,9 @@ playlist_item_t *playlist_ChildSearchName( playlist_item_t *p_node, ...@@ -516,11 +517,9 @@ playlist_item_t *playlist_ChildSearchName( playlist_item_t *p_node,
{ {
return NULL; return NULL;
} }
for( i = 0 ; i< p_node->i_children; i++ ) for( i = 0 ; i< p_node->i_children; i++ )
{ {
if( !strncmp( p_node->pp_children[i]->input.psz_name, psz_search, if( !strcmp( p_node->pp_children[i]->input.psz_name, psz_search ) )
strlen( p_node->pp_children[i]->input.psz_name ) ) )
{ {
return p_node->pp_children[i]; return p_node->pp_children[i];
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment