From 4a432dc1ee1d6294870ce9c8fbfa333ef6cab787 Mon Sep 17 00:00:00 2001 From: reimar Date: Sun, 28 Feb 2010 09:37:35 +0000 Subject: Improve integer overflow and realloc error handling in playlist parser. git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@30791 b3059339-0415-0410-9bf9-f77b7e298cf2 --- playtreeparser.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) (limited to 'playtreeparser.c') diff --git a/playtreeparser.c b/playtreeparser.c index c9a6695b86..596d7f8d78 100644 --- a/playtreeparser.c +++ b/playtreeparser.c @@ -30,6 +30,7 @@ #include #include #include +#include #include "asxparser.h" #include "m_config.h" #include "playtree.h" @@ -80,8 +81,15 @@ play_tree_parser_get_line(play_tree_parser_t* p) { while(1) { if(resize) { + char *tmp; r = p->iter - p->buffer; - p->buffer = realloc(p->buffer, p->buffer_size + BUF_STEP); + end = p->buffer + p->buffer_end; + if (p->buffer_size > INT_MAX - BUF_STEP) + break; + tmp = realloc(p->buffer, p->buffer_size + BUF_STEP); + if (!tmp) + break; + p->buffer = tmp; p->iter = p->buffer + r; p->buffer_size += BUF_STEP; resize = 0; @@ -238,6 +246,7 @@ static int pls_read_entry(char* line,pls_entry_t** _e,int* _max_entry,char** val) { int num,max_entry = (*_max_entry); pls_entry_t* e = (*_e); + int limit = INT_MAX / sizeof(*e); char* v; v = pls_entry_get_value(line); @@ -247,12 +256,18 @@ pls_read_entry(char* line,pls_entry_t** _e,int* _max_entry,char** val) { } num = atoi(line); - if(num < 0) { + if(num < 0 || num > limit) { + if (max_entry >= limit) { + mp_msg(MSGT_PLAYTREE, MSGL_WARN, "Too many index entries\n"); + return 0; + } num = max_entry+1; - mp_msg(MSGT_PLAYTREE,MSGL_WARN,"No entry index in entry %s\nAssuming %d\n",line,num); + mp_msg(MSGT_PLAYTREE,MSGL_WARN,"No or invalid entry index in entry %s\nAssuming %d\n",line,num); } if(num > max_entry) { e = realloc(e, num * sizeof(pls_entry_t)); + if (!e) + return 0; memset(&e[max_entry],0,(num-max_entry)*sizeof(pls_entry_t)); max_entry = num; } -- cgit v1.2.3 From 7e23f68cf7691e2599389b8c568df8153336c48b Mon Sep 17 00:00:00 2001 From: reimar Date: Sun, 28 Feb 2010 09:39:30 +0000 Subject: A playlist entry number of 0 is invalid for pls playlists. git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@30792 b3059339-0415-0410-9bf9-f77b7e298cf2 --- playtreeparser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'playtreeparser.c') diff --git a/playtreeparser.c b/playtreeparser.c index 596d7f8d78..39fcd76b21 100644 --- a/playtreeparser.c +++ b/playtreeparser.c @@ -256,7 +256,7 @@ pls_read_entry(char* line,pls_entry_t** _e,int* _max_entry,char** val) { } num = atoi(line); - if(num < 0 || num > limit) { + if(num <= 0 || num > limit) { if (max_entry >= limit) { mp_msg(MSGT_PLAYTREE, MSGL_WARN, "Too many index entries\n"); return 0; -- cgit v1.2.3 From 62cc3b452b4dba6a1664cd9e4a8ec7aa96fa40ea Mon Sep 17 00:00:00 2001 From: reimar Date: Sun, 28 Feb 2010 09:41:07 +0000 Subject: Use negative return values for errors in pls_read_entry to make it match with the checks later on. git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@30793 b3059339-0415-0410-9bf9-f77b7e298cf2 --- playtreeparser.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'playtreeparser.c') diff --git a/playtreeparser.c b/playtreeparser.c index 39fcd76b21..587229ed01 100644 --- a/playtreeparser.c +++ b/playtreeparser.c @@ -252,14 +252,14 @@ pls_read_entry(char* line,pls_entry_t** _e,int* _max_entry,char** val) { v = pls_entry_get_value(line); if(!v) { mp_msg(MSGT_PLAYTREE,MSGL_ERR,"No value in entry %s\n",line); - return 0; + return -1; } num = atoi(line); if(num <= 0 || num > limit) { if (max_entry >= limit) { mp_msg(MSGT_PLAYTREE, MSGL_WARN, "Too many index entries\n"); - return 0; + return -1; } num = max_entry+1; mp_msg(MSGT_PLAYTREE,MSGL_WARN,"No or invalid entry index in entry %s\nAssuming %d\n",line,num); @@ -267,7 +267,7 @@ pls_read_entry(char* line,pls_entry_t** _e,int* _max_entry,char** val) { if(num > max_entry) { e = realloc(e, num * sizeof(pls_entry_t)); if (!e) - return 0; + return -1; memset(&e[max_entry],0,(num-max_entry)*sizeof(pls_entry_t)); max_entry = num; } -- cgit v1.2.3