Commit 4ec49559 authored by Derk-Jan Hartman's avatar Derk-Jan Hartman

* Fix a potential buffer overflow, UTF-8'ify session name in a previous unhandled case.

parent 20acaecf
...@@ -284,9 +284,6 @@ static int Open( vlc_object_t *p_this ) ...@@ -284,9 +284,6 @@ static int Open( vlc_object_t *p_this )
services_discovery_sys_t *p_sys = (services_discovery_sys_t *) services_discovery_sys_t *p_sys = (services_discovery_sys_t *)
malloc( sizeof( services_discovery_sys_t ) ); malloc( sizeof( services_discovery_sys_t ) );
playlist_view_t *p_view;
vlc_value_t val;
p_sys->i_timeout = var_CreateGetInteger( p_sd, "sap-timeout" ); p_sys->i_timeout = var_CreateGetInteger( p_sd, "sap-timeout" );
p_sd->pf_run = Run; p_sd->pf_run = Run;
...@@ -579,7 +576,7 @@ static int Demux( demux_t *p_demux ) ...@@ -579,7 +576,7 @@ static int Demux( demux_t *p_demux )
FIND_ANYWHERE ); FIND_ANYWHERE );
/* TODO FIXME !! Add at the correct place */ /* TODO FIXME !! Add at the correct place */
playlist_PlaylistAdd( p_playlist, p_sdp->psz_uri, p_sdp->psz_sessionname, playlist_PlaylistAdd( p_playlist, p_sdp->psz_uri, EnsureUTF8( p_sdp->psz_sessionname ),
PLAYLIST_APPEND, PLAYLIST_END ); PLAYLIST_APPEND, PLAYLIST_END );
vlc_object_release( p_playlist ); vlc_object_release( p_playlist );
...@@ -602,6 +599,7 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read ) ...@@ -602,6 +599,7 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
{ {
int i_version, i_address_type, i_hash, i; int i_version, i_address_type, i_hash, i;
char *psz_sdp, *psz_foo, *psz_initial_sdp; char *psz_sdp, *psz_foo, *psz_initial_sdp;
uint8_t *p_decompressed_buffer = NULL;
sdp_t *p_sdp; sdp_t *p_sdp;
vlc_bool_t b_compressed; vlc_bool_t b_compressed;
vlc_bool_t b_need_delete = VLC_FALSE; vlc_bool_t b_need_delete = VLC_FALSE;
...@@ -668,16 +666,20 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read ) ...@@ -668,16 +666,20 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
if( b_compressed ) if( b_compressed )
{ {
#ifdef HAVE_ZLIB_H #ifdef HAVE_ZLIB_H
uint8_t *p_decompressed_buffer = NULL;
int i_decompressed_size; int i_decompressed_size;
i_decompressed_size = Decompress( (uint8_t *)psz_sdp, i_decompressed_size = Decompress( (uint8_t *)psz_sdp,
&p_decompressed_buffer, i_read - ( psz_sdp - (char *)p_buffer ) ); &p_decompressed_buffer, i_read - ( psz_sdp - (char *)p_buffer ) );
if( i_decompressed_size > 0 && i_decompressed_size < MAX_SAP_BUFFER ) if( i_decompressed_size > 0 )
{ {
memcpy( psz_sdp, p_decompressed_buffer, i_decompressed_size ); psz_sdp = (char *)p_decompressed_buffer;
realloc( p_decompressed_buffer, i_decompressed_size++ );
psz_sdp[i_decompressed_size] = '\0'; psz_sdp[i_decompressed_size] = '\0';
free( p_decompressed_buffer ); }
else
{
msg_Warn( p_sd, "decompression of sap packet failed" );
return VLC_EGENERIC;
} }
#else #else
msg_Warn( p_sd, "ignoring compressed sap packet" ); msg_Warn( p_sd, "ignoring compressed sap packet" );
...@@ -772,6 +774,7 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read ) ...@@ -772,6 +774,7 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
CreateAnnounce( p_sd, i_hash, p_sdp ); CreateAnnounce( p_sd, i_hash, p_sdp );
FREE( p_decompressed_buffer );
return VLC_SUCCESS; return VLC_SUCCESS;
} }
...@@ -879,8 +882,8 @@ static char *GetAttribute( sdp_t *p_sdp, const char *psz_search ) ...@@ -879,8 +882,8 @@ static char *GetAttribute( sdp_t *p_sdp, const char *psz_search )
/* Fill p_sdp->psz_uri */ /* Fill p_sdp->psz_uri */
static int ParseConnection( vlc_object_t *p_obj, sdp_t *p_sdp ) static int ParseConnection( vlc_object_t *p_obj, sdp_t *p_sdp )
{ {
char *psz_eof; char *psz_eof = NULL;
char *psz_parse; char *psz_parse = NULL;
char *psz_uri = NULL; char *psz_uri = NULL;
char *psz_proto = NULL; char *psz_proto = NULL;
char psz_source[256]; char psz_source[256];
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment