[SCM] kodi-pvr-vdr-vnsi/master: responsepacket: add range checks to fix buffer overflow
tiber-guest at users.alioth.debian.org
tiber-guest at users.alioth.debian.org
Sun Feb 28 15:46:47 UTC 2016
The following commit has been merged in the master branch:
commit 0ee29a65c264670dc1c936d8da2e5cab2b563e28
Author: Max Kellermann <max at duempel.org>
Date: Wed Nov 4 20:22:57 2015 +0100
responsepacket: add range checks to fix buffer overflow
Calling strlen() on a buffer without knowing if there's a null
terminator is easy to crash. The strlen() function will simply run
across the buffer end, until it happens to find a null byte in the
following (undefined) data section, or until it gets killed by the
kernel.
Another problem is that the method serverError() does not work. It
works only if nobody has moved the packetPos yet - which is a wrong
assumption to make.
diff --git a/src/responsepacket.cpp b/src/responsepacket.cpp
index 5dce756..31059b3 100644
--- a/src/responsepacket.cpp
+++ b/src/responsepacket.cpp
@@ -164,8 +164,13 @@ char* cResponsePacket::extract_String()
{
if (serverError()) return NULL;
- int length = strlen((char*)&userData[packetPos]);
- if ((packetPos + length) > userDataLength) return NULL;
+ const char *p = (const char *)&userData[packetPos];
+ const char *end = (const char *)memchr(p, '\0', userDataLength - packetPos);
+ if (end == NULL)
+ /* string is not terminated - fail */
+ return NULL;
+
+ int length = end - p;
char* str = new char[length + 1];
strcpy(str, (char*)&userData[packetPos]);
packetPos += length + 1;
--
kodi-pvr-vdr-vnsi packaging
More information about the pkg-multimedia-commits
mailing list