[vlc-commits] upnp: Use UpnpResolveURL2 API instead of UpnpResolveURL

[Will Newton]

vlc | branch: master | Will Newton <will.newton at gmail.com> | Tue Feb 12 16:33:17 2019 +0000| [18a463930511f908733e95906abbeb43430ee09d] | committer: Hugo Beauzée-Luyssen

upnp: Use UpnpResolveURL2 API instead of UpnpResolveURL

The UpnpResolveURL APi is very hard to use correctly and can
result in buffer overflow issues. Use the UpnpResolveURL2 API
instead and fix two small buffer overflows.

https://hackerone.com/reports/494841

Signed-off-by: Will Newton <will.newton at gmail.com>
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=18a463930511f908733e95906abbeb43430ee09d
---

 modules/services_discovery/upnp.cpp | 27 +++++++++++----------------
 modules/stream_out/dlna/dlna.cpp    |  4 ++--
 2 files changed, 13 insertions(+), 18 deletions(-)

diff --git a/modules/services_discovery/upnp.cpp b/modules/services_discovery/upnp.cpp
index 9aa62d96d4..a467caaaa8 100644
--- a/modules/services_discovery/upnp.cpp
+++ b/modules/services_discovery/upnp.cpp
@@ -566,25 +566,20 @@ void MediaServerList::parseNewServer( IXML_Document *doc, const std::string &loc
             }
 
             /* Try to browse content directory. */
-            char* psz_url = ( char* ) malloc( strlen( psz_base_url ) + strlen( psz_control_url ) + 1 );
-            if ( psz_url )
+            char* psz_url = NULL;
+            if ( UpnpResolveURL2( psz_base_url, psz_control_url, &psz_url ) == UPNP_E_SUCCESS )
             {
-                if ( UpnpResolveURL( psz_base_url, psz_control_url, psz_url ) == UPNP_E_SUCCESS )
+                SD::MediaServerDesc* p_server = new(std::nothrow) SD::MediaServerDesc( psz_udn,
+                    psz_friendly_name, psz_url, iconUrl );
+                free( psz_url );
+                if ( unlikely( !p_server ) )
+                    break;
+
+                if ( !addServer( p_server ) )
                 {
-                    SD::MediaServerDesc* p_server = new(std::nothrow) SD::MediaServerDesc( psz_udn,
-                            psz_friendly_name, psz_url, iconUrl );
-                    free( psz_url );
-                    if ( unlikely( !p_server ) )
-                        break;
-
-                    if ( !addServer( p_server ) )
-                    {
-                        delete p_server;
-                        continue;
-                    }
+                    delete p_server;
+                    continue;
                 }
-                else
-                    free( psz_url );
             }
         }
         ixmlNodeList_free( p_service_list );
diff --git a/modules/stream_out/dlna/dlna.cpp b/modules/stream_out/dlna/dlna.cpp
index da966442f5..44fcef90ec 100644
--- a/modules/stream_out/dlna/dlna.cpp
+++ b/modules/stream_out/dlna/dlna.cpp
@@ -519,8 +519,8 @@ char *MediaRenderer::getServiceURL(const char* type, const char *service)
             if ( !psz_control_url )
                 continue;
 
-            char* psz_url = ( char* ) malloc( base_url.length() + strlen( psz_control_url ) + 1 );
-            if ( psz_url && UpnpResolveURL( base_url.c_str(), psz_control_url, psz_url ) == UPNP_E_SUCCESS )
+            char* psz_url = NULL;
+            if ( UpnpResolveURL2( base_url.c_str(), psz_control_url, &psz_url ) == UPNP_E_SUCCESS )
                 return psz_url;
             return nullptr;
         }