[vlc-devel] commit: MMS integers handling fixes, including buffer overflow ( Rémi Denis-Courmont )

Sun Aug 24 12:15:10 CEST 2008

vlc | branch: 0.8.6-bugfix | Rémi Denis-Courmont <rdenis at simphalempin.com> | Sun Aug 24 13:18:01 2008 +0300| [2947f778df4f440ceeb6f5dc1bdb0e9f5cd31e74] | committer: Rémi Denis-Courmont 

MMS integers handling fixes, including buffer overflow

Pointed-out-by: Pınar Yanardağ
(cherry picked from commit afe3464a1c7c6f9d7640a3f5db17010c34212440)

Conflicts:

	modules/access/mms/mmstu.c

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=2947f778df4f440ceeb6f5dc1bdb0e9f5cd31e74
---

 modules/access/mms/mmstu.c |   19 ++++++++++---------
 modules/access/mms/mmstu.h |    6 +++---
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/modules/access/mms/mmstu.c b/modules/access/mms/mmstu.c
index 61f9e38..df5ec78 100644
--- a/modules/access/mms/mmstu.c
+++ b/modules/access/mms/mmstu.c
@@ -28,6 +28,7 @@
 #include <stdlib.h>
 #include <vlc/vlc.h>
 #include <string.h>
+#include <inttypes.h>
 #include <vlc/input.h>
 #include <errno.h>
 
@@ -695,7 +696,7 @@ static int MMSOpen( access_t  *p_access, vlc_url_t *p_url, int  i_proto )
         GetDWLE( p_sys->p_cmd + MMS_CMD_HEADERSIZE + 60 );
 
     msg_Dbg( p_access,
-             "answer 0x06 flags:0x%8.8x media_length:%us packet_length:%lu packet_count:%u max_bit_rate:%d header_size:%d",
+             "answer 0x06 flags:0x%8.8"PRIx32" media_length:%"PRIu32"s packet_length:%zu packet_count:%"PRIu32" max_bit_rate:%d header_size:%zu",
              p_sys->i_flags_broadcast,
              p_sys->i_media_length,
              p_sys->i_packet_length,
@@ -749,12 +750,12 @@ static int MMSOpen( access_t  *p_access, vlc_url_t *p_url, int  i_proto )
         if( p_sys->i_header >= p_sys->i_header_size )
         {
             msg_Dbg( p_access,
-                     "header complete(%d)",
+                     "header complete(%zu)",
                      p_sys->i_header );
             break;
         }
         msg_Dbg( p_access,
-                 "header incomplete (%d/%d), reading more",
+                 "header incomplete (%zu/%zu), reading more",
                  p_sys->i_header,
                  p_sys->i_header_size );
     }
@@ -1128,7 +1129,7 @@ static int NetFillBuffer( access_t *p_access )
 
 static int  mms_ParseCommand( access_t *p_access,
                               uint8_t *p_data,
-                              int i_data,
+                              size_t i_data,
                               int *pi_used )
 {
  #define GET32( i_pos ) \
@@ -1137,7 +1138,7 @@ static int  mms_ParseCommand( access_t *p_access,
       ( p_sys->p_cmd[i_pos + 3] << 24 ) )
 
     access_sys_t        *p_sys = p_access->p_sys;
-    int         i_length;
+    uint32_t    i_length;
     uint32_t    i_id;
 
     if( p_sys->p_cmd )
@@ -1159,10 +1160,10 @@ static int  mms_ParseCommand( access_t *p_access,
     i_id =  GetDWLE( p_data + 4 );
     i_length = GetDWLE( p_data + 8 ) + 16;
 
-    if( i_id != 0xb00bface )
+    if( i_id != 0xb00bface || i_length < 16 )
     {
         msg_Err( p_access,
-                 "incorrect command header (0x%x)", i_id );
+                 "incorrect command header (0x%"PRIx32")", i_id );
         p_sys->i_command = 0;
         return -1;
     }
@@ -1170,8 +1171,8 @@ static int  mms_ParseCommand( access_t *p_access,
     if( i_length > p_sys->i_cmd )
     {
         msg_Warn( p_access,
-                  "truncated command (missing %d bytes)",
-                   i_length - i_data  );
+                  "truncated command (missing %zu bytes)",
+                   (size_t)i_length - i_data  );
         p_sys->i_command = 0;
         return -1;
     }
diff --git a/modules/access/mms/mmstu.h b/modules/access/mms/mmstu.h
index b265127..8d41fe7 100644
--- a/modules/access/mms/mmstu.h
+++ b/modules/access/mms/mmstu.h
@@ -62,10 +62,10 @@ struct access_sys_t
     int         i_packet_seq_num;
 
     uint8_t     *p_cmd;     /* latest command read */
-    int         i_cmd;      /* allocated at the begining */
+    size_t      i_cmd;      /* allocated at the begining */
 
     uint8_t     *p_header;  /* allocated by mms_ReadPacket */
-    int         i_header;
+    size_t      i_header;
 
     uint8_t     *p_media;   /* allocated by mms_ReadPacket */
     size_t      i_media;
@@ -86,7 +86,7 @@ struct access_sys_t
     size_t      i_packet_length;
     uint32_t    i_packet_count;
     int         i_max_bit_rate;
-    int         i_header_size;
+    size_t      i_header_size;
 
     /* */
     vlc_bool_t  b_seekable;


