Commit a89f96d8 authored by Pavlov Konstantin's avatar Pavlov Konstantin

Port some fixes from CVE-2008-0225 fix for xine-lib plus some code style...

Port some fixes from CVE-2008-0225 fix for xine-lib plus some code style fixes. Someone should really review it as it may be not fully fixed.
parent ce68b58c
...@@ -35,9 +35,11 @@ ...@@ -35,9 +35,11 @@
* writes header data to a buffer * writes header data to a buffer
*/ */
static void rmff_dump_fileheader(rmff_fileheader_t *fileheader, char *buffer) { static int rmff_dump_fileheader(rmff_fileheader_t *fileheader, uint8_t *buffer, int bufsize) {
if (!fileheader) return 0;
if (bufsize < RMFF_FILEHEADER_SIZE)
return -1;
if (!fileheader) return;
fileheader->object_id=BE_32(&fileheader->object_id); fileheader->object_id=BE_32(&fileheader->object_id);
fileheader->size=BE_32(&fileheader->size); fileheader->size=BE_32(&fileheader->size);
fileheader->object_version=BE_16(&fileheader->object_version); fileheader->object_version=BE_16(&fileheader->object_version);
...@@ -53,11 +55,17 @@ static void rmff_dump_fileheader(rmff_fileheader_t *fileheader, char *buffer) { ...@@ -53,11 +55,17 @@ static void rmff_dump_fileheader(rmff_fileheader_t *fileheader, char *buffer) {
fileheader->file_version=BE_32(&fileheader->file_version); fileheader->file_version=BE_32(&fileheader->file_version);
fileheader->num_headers=BE_32(&fileheader->num_headers); fileheader->num_headers=BE_32(&fileheader->num_headers);
fileheader->object_id=BE_32(&fileheader->object_id); fileheader->object_id=BE_32(&fileheader->object_id);
return RMFF_FILEHEADER_SIZE;
} }
static void rmff_dump_prop(rmff_prop_t *prop, char *buffer) { static int rmff_dump_prop(rmff_prop_t *prop, uint8_t *buffer, int bufsize) {
if (!prop) return 0;
if (bufsize < RMFF_PROPHEADER_SIZE)
return -1;
if (!prop) return;
prop->object_id=BE_32(&prop->object_id); prop->object_id=BE_32(&prop->object_id);
prop->size=BE_32(&prop->size); prop->size=BE_32(&prop->size);
prop->object_version=BE_16(&prop->object_version); prop->object_version=BE_16(&prop->object_version);
...@@ -93,13 +101,19 @@ static void rmff_dump_prop(rmff_prop_t *prop, char *buffer) { ...@@ -93,13 +101,19 @@ static void rmff_dump_prop(rmff_prop_t *prop, char *buffer) {
prop->num_streams=BE_16(&prop->num_streams); prop->num_streams=BE_16(&prop->num_streams);
prop->flags=BE_16(&prop->flags); prop->flags=BE_16(&prop->flags);
prop->object_id=BE_32(&prop->object_id); prop->object_id=BE_32(&prop->object_id);
return RMFF_PROPHEADER_SIZE;
} }
static void rmff_dump_mdpr(rmff_mdpr_t *mdpr, char *buffer) { static int rmff_dump_mdpr(rmff_mdpr_t *mdpr, uint8_t *buffer, int bufsize) {
int s1, s2, s3; int s1, s2, s3;
if (!mdpr) return; if (!mdpr) return 0;
if (bufsize < RMFF_MDPRHEADER_SIZE + mdpr->type_specific_len +
mdpr->stream_name_size + mdpr->mime_type_size)
return -1;
mdpr->object_id=BE_32(&mdpr->object_id); mdpr->object_id=BE_32(&mdpr->object_id);
mdpr->size=BE_32(&mdpr->size); mdpr->size=BE_32(&mdpr->size);
mdpr->object_version=BE_16(&mdpr->object_version); mdpr->object_version=BE_16(&mdpr->object_version);
...@@ -141,13 +155,19 @@ static void rmff_dump_mdpr(rmff_mdpr_t *mdpr, char *buffer) { ...@@ -141,13 +155,19 @@ static void rmff_dump_mdpr(rmff_mdpr_t *mdpr, char *buffer) {
mdpr->duration=BE_32(&mdpr->duration); mdpr->duration=BE_32(&mdpr->duration);
mdpr->object_id=BE_32(&mdpr->object_id); mdpr->object_id=BE_32(&mdpr->object_id);
return RMFF_MDPRHEADER_SIZE + s1 + s2 + s3;
} }
static void rmff_dump_cont(rmff_cont_t *cont, char *buffer) { static int rmff_dump_cont(rmff_cont_t *cont, uint8_t *buffer, int bufsize) {
int p; int p;
if (!cont) return; if (!cont) return 0;
if (bufsize < RMFF_CONTHEADER_SIZE + cont->title_len + cont->author_len + \
cont->copyright_len + cont->comment_len)
return -1;
cont->object_id=BE_32(&cont->object_id); cont->object_id=BE_32(&cont->object_id);
cont->size=BE_32(&cont->size); cont->size=BE_32(&cont->size);
cont->object_version=BE_16(&cont->object_version); cont->object_version=BE_16(&cont->object_version);
...@@ -181,11 +201,18 @@ static void rmff_dump_cont(rmff_cont_t *cont, char *buffer) { ...@@ -181,11 +201,18 @@ static void rmff_dump_cont(rmff_cont_t *cont, char *buffer) {
cont->size=BE_32(&cont->size); cont->size=BE_32(&cont->size);
cont->object_version=BE_16(&cont->object_version); cont->object_version=BE_16(&cont->object_version);
cont->object_id=BE_32(&cont->object_id); cont->object_id=BE_32(&cont->object_id);
return RMFF_CONTHEADER_SIZE + cont->title_len + cont->author_len + \
cont->copyright_len + cont->comment_len;
} }
static void rmff_dump_dataheader(rmff_data_t *data, char *buffer) { static int rmff_dump_dataheader(rmff_data_t *data, uint8_t *buffer, int bufsize) {
if (!data) return 0;
if (bufsize < RMFF_DATAHEADER_SIZE)
return -1;
if (!data) return;
data->object_id=BE_32(&data->object_id); data->object_id=BE_32(&data->object_id);
data->size=BE_32(&data->size); data->size=BE_32(&data->size);
...@@ -202,31 +229,48 @@ static void rmff_dump_dataheader(rmff_data_t *data, char *buffer) { ...@@ -202,31 +229,48 @@ static void rmff_dump_dataheader(rmff_data_t *data, char *buffer) {
data->size=BE_32(&data->size); data->size=BE_32(&data->size);
data->object_version=BE_16(&data->object_version); data->object_version=BE_16(&data->object_version);
data->object_id=BE_32(&data->object_id); data->object_id=BE_32(&data->object_id);
return RMFF_DATAHEADER_SIZE;
} }
int rmff_dump_header(rmff_header_t *h, char *buffer, int max) { int rmff_dump_header(rmff_header_t *h, void *buf_gen, int max) {
uint8_t *buffer = buf_gen;
int written=0; int written=0, size;
rmff_mdpr_t **stream=h->streams; rmff_mdpr_t **stream=h->streams;
rmff_dump_fileheader(h->fileheader, &buffer[written]); if ((size=rmff_dump_fileheader(h->fileheader, &buffer[written], max)) < 0)
written+=h->fileheader->size; return -1;
rmff_dump_prop(h->prop, &buffer[written]);
written+=h->prop->size; written += size;
rmff_dump_cont(h->cont, &buffer[written]); max -= size;
written+=h->cont->size;
if (stream) if ((size=rmff_dump_prop(h->prop, &buffer[written], max)) < 0)
{ return -1;
while(*stream)
{ written += size;
rmff_dump_mdpr(*stream, &buffer[written]); max -= size;
written+=(*stream)->size;
if ((size=rmff_dump_cont(h->cont, &buffer[written], max)) < 0)
return -1;
written += size;
max -= size;
if (stream) {
while(*stream) {
if ((size=rmff_dump_mdpr(*stream, &buffer[written], max)) < 0)
return -1;
written += size;
max -= size;
stream++; stream++;
} }
} }
rmff_dump_dataheader(h->data, &buffer[written]); if ((size=rmff_dump_dataheader(h->data, &buffer[written], max)) < 0)
written+=18; return -1;
written+=size;
return written; return written;
} }
......
...@@ -29,6 +29,12 @@ ...@@ -29,6 +29,12 @@
#define RMFF_HEADER_SIZE 0x12 #define RMFF_HEADER_SIZE 0x12
#define RMFF_FILEHEADER_SIZE 18
#define RMFF_PROPHEADER_SIZE 50
#define RMFF_MDPRHEADER_SIZE 46
#define RMFF_CONTHEADER_SIZE 18
#define RMFF_DATAHEADER_SIZE 18
#define FOURCC_TAG( ch0, ch1, ch2, ch3 ) \ #define FOURCC_TAG( ch0, ch1, ch2, ch3 ) \
(((long)(unsigned char)(ch3) ) | \ (((long)(unsigned char)(ch3) ) | \
( (long)(unsigned char)(ch2) << 8 ) | \ ( (long)(unsigned char)(ch2) << 8 ) | \
...@@ -234,7 +240,7 @@ int rmff_get_header_size(rmff_header_t *h); ...@@ -234,7 +240,7 @@ int rmff_get_header_size(rmff_header_t *h);
/* /*
* dumps the header <h> to <buffer>. <max> is the size of <buffer> * dumps the header <h> to <buffer>. <max> is the size of <buffer>
*/ */
int rmff_dump_header(rmff_header_t *h, char *buffer, int max); int rmff_dump_header(rmff_header_t *h, void *buffer, int max);
/* /*
* dumps a packet header * dumps a packet header
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment