From afe3464a1c7c6f9d7640a3f5db17010c34212440 Mon Sep 17 00:00:00 2001 From: =?utf8?q?R=C3=A9mi=20Denis-Courmont?= Date: Sun, 24 Aug 2008 09:22:22 +0300 Subject: [PATCH] MMS integers handling fixes, including buffer overflow MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Pointed-out-by: Pınar Yanardağ --- modules/access/mms/mmstu.c | 22 +++++++++++----------- modules/access/mms/mmstu.h | 6 +++--- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/modules/access/mms/mmstu.c b/modules/access/mms/mmstu.c index 8211250246..72eac84175 100644 --- a/modules/access/mms/mmstu.c +++ b/modules/access/mms/mmstu.c @@ -739,9 +739,9 @@ static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto ) GetDWLE( p_sys->p_cmd + MMS_CMD_HEADERSIZE + 60 ); msg_Dbg( p_access, - "answer 0x06 flags:0x%8.8x media_length:%us " - "packet_length:%ul packet_count:%d max_bit_rate:%d " - "header_size:%d", + "answer 0x06 flags:0x%8.8"PRIx32" media_length:%"PRIu32"s " + "packet_length:%zul packet_count:%"PRId32" max_bit_rate:%d " + "header_size:%zu", p_sys->i_flags_broadcast, p_sys->i_media_length, (unsigned)p_sys->i_packet_length, @@ -795,12 +795,12 @@ static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto ) if( p_sys->i_header >= p_sys->i_header_size ) { msg_Dbg( p_access, - "header complete(%d)", + "header complete(%zu)", p_sys->i_header ); break; } msg_Dbg( p_access, - "header incomplete (%d/%d), reading more", + "header incomplete (%zu/%zu), reading more", p_sys->i_header, p_sys->i_header_size ); } @@ -1169,7 +1169,7 @@ static int NetFillBuffer( access_t *p_access ) static int mms_ParseCommand( access_t *p_access, uint8_t *p_data, - int i_data, + size_t i_data, int *pi_used ) { #define GET32( i_pos ) \ @@ -1178,7 +1178,7 @@ static int mms_ParseCommand( access_t *p_access, ( p_sys->p_cmd[i_pos + 3] << 24 ) ) access_sys_t *p_sys = p_access->p_sys; - int i_length; + uint32_t i_length; uint32_t i_id; free( p_sys->p_cmd ); @@ -1197,10 +1197,10 @@ static int mms_ParseCommand( access_t *p_access, i_id = GetDWLE( p_data + 4 ); i_length = GetDWLE( p_data + 8 ) + 16; - if( i_id != 0xb00bface ) + if( i_id != 0xb00bface || i_length < 16 ) { msg_Err( p_access, - "incorrect command header (0x%x)", i_id ); + "incorrect command header (0x%"PRIx32")", i_id ); p_sys->i_command = 0; return -1; } @@ -1208,8 +1208,8 @@ static int mms_ParseCommand( access_t *p_access, if( i_length > p_sys->i_cmd ) { msg_Warn( p_access, - "truncated command (missing %d bytes)", - i_length - i_data ); + "truncated command (missing %zu bytes)", + (size_t)i_length - i_data ); p_sys->i_command = 0; return -1; } diff --git a/modules/access/mms/mmstu.h b/modules/access/mms/mmstu.h index 2560c007e5..527c14cb53 100644 --- a/modules/access/mms/mmstu.h +++ b/modules/access/mms/mmstu.h @@ -67,10 +67,10 @@ struct access_sys_t int i_packet_seq_num; uint8_t *p_cmd; /* latest command read */ - int i_cmd; /* allocated at the begining */ + size_t i_cmd; /* allocated at the begining */ uint8_t *p_header; /* allocated by mms_ReadPacket */ - int i_header; + size_t i_header; uint8_t *p_media; /* allocated by mms_ReadPacket */ size_t i_media; @@ -91,7 +91,7 @@ struct access_sys_t size_t i_packet_length; uint32_t i_packet_count; int i_max_bit_rate; - int i_header_size; + size_t i_header_size; /* misc */ bool b_seekable; -- 2.39.2