[SCM] kodi-pvr-vdr-vnsi/master: responsepacket: add range checks to fix buffer overflow

[tiber-guest at users.alioth.debian.org]

The following commit has been merged in the master branch:
commit 0ee29a65c264670dc1c936d8da2e5cab2b563e28
Author: Max Kellermann <max at duempel.org>
Date:   Wed Nov 4 20:22:57 2015 +0100

    responsepacket: add range checks to fix buffer overflow
    
    Calling strlen() on a buffer without knowing if there's a null
    terminator is easy to crash.  The strlen() function will simply run
    across the buffer end, until it happens to find a null byte in the
    following (undefined) data section, or until it gets killed by the
    kernel.
    
    Another problem is that the method serverError() does not work.  It
    works only if nobody has moved the packetPos yet - which is a wrong
    assumption to make.

diff --git a/src/responsepacket.cpp b/src/responsepacket.cpp
index 5dce756..31059b3 100644
--- a/src/responsepacket.cpp
+++ b/src/responsepacket.cpp
@@ -164,8 +164,13 @@ char* cResponsePacket::extract_String()
 {
   if (serverError()) return NULL;
 
-  int length = strlen((char*)&userData[packetPos]);
-  if ((packetPos + length) > userDataLength) return NULL;
+  const char *p = (const char *)&userData[packetPos];
+  const char *end = (const char *)memchr(p, '\0', userDataLength - packetPos);
+  if (end == NULL)
+    /* string is not terminated - fail */
+    return NULL;
+
+  int length = end - p;
   char* str = new char[length + 1];
   strcpy(str, (char*)&userData[packetPos]);
   packetPos += length + 1;

-- 
kodi-pvr-vdr-vnsi packaging