* Fix a potential buffer overflow, UTF-8'ify session name in a previous unhandled...

author Derk-Jan Hartman <hartman@videolan.org>

Wed, 28 Jun 2006 20:03:15 +0000 (20:03 +0000)

committer Derk-Jan Hartman <hartman@videolan.org>

Wed, 28 Jun 2006 20:03:15 +0000 (20:03 +0000)
author Derk-Jan Hartman <hartman@videolan.org>
Wed, 28 Jun 2006 20:03:15 +0000 (20:03 +0000)
committer Derk-Jan Hartman <hartman@videolan.org>
Wed, 28 Jun 2006 20:03:15 +0000 (20:03 +0000)
diff --git a/modules/services_discovery/sap.c b/modules/services_discovery/sap.c

index b39811dd5807c7c20b19c8b4f2b17ac83d85e948..5d68d716c2dbe44e1bb58c96d9e71aefd4da188f 100644 (file)
--- a/modules/services_discovery/sap.c
+++ b/modules/services_discovery/sap.c
@@ -284,9 +284,6 @@ static int Open( vlc_object_t *p_this )
      services_discovery_sys_t *p_sys  = (services_discovery_sys_t *)
                                  malloc( sizeof( services_discovery_sys_t ) );
  
-    playlist_view_t     *p_view;
-    vlc_value_t         val;
-
      p_sys->i_timeout = var_CreateGetInteger( p_sd, "sap-timeout" );
  
      p_sd->pf_run = Run;
@@ -579,7 +576,7 @@ static int Demux( demux_t *p_demux )
                                                 FIND_ANYWHERE );
  
      /* TODO FIXME !! Add at the correct place */
-    playlist_PlaylistAdd( p_playlist, p_sdp->psz_uri, p_sdp->psz_sessionname,
+    playlist_PlaylistAdd( p_playlist, p_sdp->psz_uri, EnsureUTF8( p_sdp->psz_sessionname ),
                            PLAYLIST_APPEND, PLAYLIST_END );
  
      vlc_object_release( p_playlist );
@@ -602,6 +599,7 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
  {
      int                 i_version, i_address_type, i_hash, i;
      char                *psz_sdp, *psz_foo, *psz_initial_sdp;
+    uint8_t             *p_decompressed_buffer = NULL;
      sdp_t               *p_sdp;
      vlc_bool_t          b_compressed;
      vlc_bool_t          b_need_delete = VLC_FALSE;
@@ -668,16 +666,20 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
      if( b_compressed )
      {
  #ifdef HAVE_ZLIB_H
-        uint8_t *p_decompressed_buffer = NULL;
          int      i_decompressed_size;
  
          i_decompressed_size = Decompress( (uint8_t *)psz_sdp,
                     &p_decompressed_buffer, i_read - ( psz_sdp - (char *)p_buffer ) );
-        if( i_decompressed_size > 0 && i_decompressed_size < MAX_SAP_BUFFER )
+        if( i_decompressed_size > 0 )
          {
-            memcpy( psz_sdp, p_decompressed_buffer, i_decompressed_size );
+            psz_sdp = (char *)p_decompressed_buffer;
+            realloc( p_decompressed_buffer, i_decompressed_size++ );
              psz_sdp[i_decompressed_size] = '\0';
-            free( p_decompressed_buffer );
+        }
+        else
+        {
+            msg_Warn( p_sd, "decompression of sap packet failed" );
+            return VLC_EGENERIC;
          }
  #else
          msg_Warn( p_sd, "ignoring compressed sap packet" );
@@ -772,6 +774,7 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
  
      CreateAnnounce( p_sd, i_hash, p_sdp );
  
+    FREE( p_decompressed_buffer );
      return VLC_SUCCESS;
  }
  
@@ -879,8 +882,8 @@ static char *GetAttribute( sdp_t *p_sdp, const char *psz_search )
  /* Fill p_sdp->psz_uri */
  static int ParseConnection( vlc_object_t *p_obj, sdp_t *p_sdp )
  {
-    char *psz_eof;
-    char *psz_parse;
+    char *psz_eof = NULL;
+    char *psz_parse = NULL;
      char *psz_uri = NULL;
      char *psz_proto = NULL;
      char psz_source[256];
author	Derk-Jan Hartman <hartman@videolan.org>
	Wed, 28 Jun 2006 20:03:15 +0000 (20:03 +0000)
committer	Derk-Jan Hartman <hartman@videolan.org>
	Wed, 28 Jun 2006 20:03:15 +0000 (20:03 +0000)