Commit 85acf699 authored by Cheng Sun's avatar Cheng Sun Committed by Jean-Baptiste Kempf

Fix stack overflow in ExecuteCommand

Close #5675

Because ExecuteCommand allocates temporary string space on the stack,
proportional to the length of the command to execute, a stack overflow can
occur when the the command is too long.

This can be triggered remotely e.g. from the VLC Web interface, by
running this JavaScript:

sendVLMCmd(Array.prototype.join.call({length:300000},'a'));

which sends a string of length 300000 to ExecuteCommand, crashing VLC.
OKed-by: default avatarRafaël Carré <funman@videolan.org>
Signed-off-by: default avatarJean-Baptiste Kempf <jb@videolan.org>
(cherry picked from commit e183a26d4346a5b05a276cde0fd97d33b8cfe72b)
Signed-off-by: default avatarJean-Baptiste Kempf <jb@videolan.org>
parent d0fcc89f
...@@ -847,9 +847,20 @@ int ExecuteCommand( vlm_t *p_vlm, const char *psz_command, ...@@ -847,9 +847,20 @@ int ExecuteCommand( vlm_t *p_vlm, const char *psz_command,
vlm_message_t **pp_message ) vlm_message_t **pp_message )
{ {
size_t i_command = 0; size_t i_command = 0;
char buf[strlen (psz_command) + 1], *psz_buf = buf; size_t i_command_len = strlen( psz_command );
char *ppsz_command[3+sizeof (buf) / 2]; char *buf = malloc( i_command_len + 1 ), *psz_buf = buf;
size_t i_ppsz_command_len = (3 + (i_command_len + 1) / 2);
char **ppsz_command = malloc( i_ppsz_command_len * sizeof(char *) );
vlm_message_t *p_message = NULL; vlm_message_t *p_message = NULL;
int i_ret = 0;
if( !psz_buf || !ppsz_command )
{
p_message = vlm_MessageNew( ppsz_command[0],
"Memory allocation failed for command of length %zu",
i_command_len );
goto error;
}
/* First, parse the line and cut it */ /* First, parse the line and cut it */
while( *psz_command != '\0' ) while( *psz_command != '\0' )
...@@ -877,7 +888,7 @@ int ExecuteCommand( vlm_t *p_vlm, const char *psz_command, ...@@ -877,7 +888,7 @@ int ExecuteCommand( vlm_t *p_vlm, const char *psz_command,
goto error; goto error;
} }
assert (i_command < (sizeof (ppsz_command) / sizeof (ppsz_command[0]))); assert (i_command < i_ppsz_command_len);
ppsz_command[i_command] = psz_buf; ppsz_command[i_command] = psz_buf;
memcpy (psz_buf, psz_command, psz_temp - psz_command); memcpy (psz_buf, psz_command, psz_temp - psz_command);
...@@ -889,7 +900,7 @@ int ExecuteCommand( vlm_t *p_vlm, const char *psz_command, ...@@ -889,7 +900,7 @@ int ExecuteCommand( vlm_t *p_vlm, const char *psz_command,
psz_buf += psz_temp - psz_command + 1; psz_buf += psz_temp - psz_command + 1;
psz_command = psz_temp; psz_command = psz_temp;
assert (buf + sizeof (buf) >= psz_buf); assert (buf + i_command_len + 1 >= psz_buf);
} }
/* /*
...@@ -920,13 +931,20 @@ int ExecuteCommand( vlm_t *p_vlm, const char *psz_command, ...@@ -920,13 +931,20 @@ int ExecuteCommand( vlm_t *p_vlm, const char *psz_command,
success: success:
*pp_message = p_message; *pp_message = p_message;
free( buf );
free( ppsz_command );
return VLC_SUCCESS; return VLC_SUCCESS;
syntax_error: syntax_error:
return ExecuteSyntaxError( ppsz_command[0], pp_message ); i_ret = ExecuteSyntaxError( ppsz_command[0], pp_message );
free( buf );
free( ppsz_command );
return i_ret;
error: error:
*pp_message = p_message; *pp_message = p_message;
free( buf );
free( ppsz_command );
return VLC_EGENERIC; return VLC_EGENERIC;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment