[vlc-commits] commit: growl: fix a buffer overflow. ( Rémi Duraffort )
git at videolan.org
git at videolan.org
Sat Apr 17 11:58:52 CEST 2010
vlc/vlc-1.0 | branch: master | Rémi Duraffort <ivoire at videolan.org> | Sun Mar 28 18:40:00 2010 +0200| [036f68b6adb0ba4fbe4992b05a6d4c938616b0b4] | committer: Rémi Duraffort
growl: fix a buffer overflow.
(cherry picked from commit 6af8bf05b784b6dc9743c8f353ef187d41f1fe7e)
Signed-off-by: Rémi Duraffort <ivoire at videolan.org>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-1.0.git/?a=commit;h=036f68b6adb0ba4fbe4992b05a6d4c938616b0b4
---
modules/misc/notify/growl_udp.c | 38 ++++++++++++++++++++------------------
1 files changed, 20 insertions(+), 18 deletions(-)
diff --git a/modules/misc/notify/growl_udp.c b/modules/misc/notify/growl_udp.c
index a333d3c..2913d1a 100644
--- a/modules/misc/notify/growl_udp.c
+++ b/modules/misc/notify/growl_udp.c
@@ -49,7 +49,7 @@ static int ItemChange( vlc_object_t *, const char *,
static int RegisterToGrowl( vlc_object_t *p_this );
static int NotifyToGrowl( vlc_object_t *p_this, const char *psz_desc );
-static int CheckAndSend( vlc_object_t *p_this, uint8_t* p_data, int i_offset );
+static int CheckAndSend( vlc_object_t *p_this, uint8_t* p_data, int i_offset, size_t is_ze );
#define GROWL_MAX_LENGTH 256
/*****************************************************************************
@@ -217,7 +217,7 @@ static int RegisterToGrowl( vlc_object_t *p_this )
}
psz_encoded[5] = i_defaults;
- CheckAndSend(p_this, psz_encoded, i);
+ CheckAndSend(p_this, psz_encoded, i, 100);
free( psz_encoded );
return VLC_SUCCESS;
}
@@ -249,36 +249,35 @@ static int NotifyToGrowl( vlc_object_t *p_this, const char *psz_desc )
strcpy( (char*)(psz_encoded+i), APPLICATION_NAME );
i += strlen(APPLICATION_NAME);
- CheckAndSend(p_this, psz_encoded, i);
+ CheckAndSend(p_this, psz_encoded, i, GROWL_MAX_LENGTH + 42);
free( psz_encoded );
return VLC_SUCCESS;
}
-static int CheckAndSend( vlc_object_t *p_this, uint8_t* p_data, int i_offset )
+static int CheckAndSend( vlc_object_t *p_this, uint8_t* p_data, int i_offset, size_t i_size )
{
- int i, i_handle;
+ int i_handle;
struct md5_s md5;
char *psz_password = config_GetPsz( p_this, "growl-password" );
char *psz_server = config_GetPsz( p_this, "growl-server" );
int i_port = config_GetInt( p_this, "growl-port" );
if(!psz_password || !psz_server)
- {
- free( psz_password );
- free( psz_server );
- return VLC_EGENERIC;
- }
+ goto error;
+
+ int i_password_length = strlen( psz_password );
+ // Check that the buffer is larger enought for the string and the md5
+ if( i_offset + i_password_length + 4*4 >= i_size )
+ goto error;
strcpy( (char*)(p_data+i_offset), psz_password );
- i = i_offset + strlen(psz_password);
InitMD5( &md5 );
- AddMD5( &md5, p_data, i );
+ AddMD5( &md5, p_data, i_offset + i_password_length );
EndMD5( &md5 );
- for( i = 0 ; i < 4 ; i++ )
+ for( int i = 0 ; i < 4 ; i++ )
{
- md5.p_digest[i] = md5.p_digest[i];
p_data[i_offset++] = md5.p_digest[i] &0xFF;
p_data[i_offset++] = (md5.p_digest[i]>> 8)&0xFF;
p_data[i_offset++] = (md5.p_digest[i]>>16)&0xFF;
@@ -288,10 +287,8 @@ static int CheckAndSend( vlc_object_t *p_this, uint8_t* p_data, int i_offset )
i_handle = net_ConnectUDP( p_this, psz_server, i_port, -1 );
if( i_handle == -1 )
{
- msg_Err( p_this, "failed to open a connection (udp)" );
- free( psz_password);
- free( psz_server);
- return VLC_EGENERIC;
+ msg_Err( p_this, "failed to open a connection (udp)" );
+ goto error;
}
shutdown( i_handle, SHUT_RD );
@@ -304,6 +301,11 @@ static int CheckAndSend( vlc_object_t *p_this, uint8_t* p_data, int i_offset )
free( psz_password);
free( psz_server);
return VLC_SUCCESS;
+
+error:
+ free( psz_password );
+ free( psz_server );
+ return VLC_EGENERIC;
}
#undef GROWL_PROTOCOL_VERSION
More information about the vlc-commits
mailing list