[xiph-cvs] cvs commit: log log.c
Michael Smith
msmith at xiph.org
Fri Apr 5 01:28:27 PST 2002
msmith 02/04/05 01:28:26
Modified: src format.h format_vorbis.c source.c
. httpp.c
. log.c
Log:
Buffer overflows.
Requires a change to the format plugin interface - jack: if you want this
done differently, feel free to change it (or ask me to).
Revision Changes Path
1.5 +2 -1 icecast/src/format.h
Index: format.h
===================================================================
RCS file: /usr/local/cvsroot/icecast/src/format.h,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- format.h 2002/02/11 09:11:17 1.4
+++ format.h 2002/04/05 09:28:25 1.5
@@ -24,7 +24,8 @@
*/
int has_predata;
- refbuf_t *(*get_buffer)(struct _format_plugin_tag *self, char *data, unsigned long len);
+ int (*get_buffer)(struct _format_plugin_tag *self, char *data, unsigned long
+ len, refbuf_t **buffer);
refbuf_queue_t *(*get_predata)(struct _format_plugin_tag *self);
void (*free_plugin)(struct _format_plugin_tag *self);
<p><p>1.5 +18 -11 icecast/src/format_vorbis.c
Index: format_vorbis.c
===================================================================
RCS file: /usr/local/cvsroot/icecast/src/format_vorbis.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- format_vorbis.c 2002/02/11 09:11:17 1.4
+++ format_vorbis.c 2002/04/05 09:28:25 1.5
@@ -16,6 +16,8 @@
#include "stats.h"
#include "format.h"
+#define MAX_HEADER_PAGES 10
+
typedef struct _vstate_tag
{
ogg_sync_state oy;
@@ -26,12 +28,12 @@
ogg_page og;
unsigned long serialno;
int header;
- refbuf_t *headbuf[10];
+ refbuf_t *headbuf[MAX_HEADER_PAGES];
int packets;
} vstate_t;
void format_vorbis_free_plugin(format_plugin_t *self);
-refbuf_t *format_vorbis_get_buffer(format_plugin_t *self, char *data, unsigned long len);
+int format_vorbis_get_buffer(format_plugin_t *self, char *data, unsigned long len, refbuf_t **buffer);
refbuf_queue_t *format_vorbis_get_predata(format_plugin_t *self);
format_plugin_t *format_vorbis_get_plugin(void)
@@ -68,7 +70,7 @@
vorbis_comment_clear(&state->vc);
vorbis_info_clear(&state->vi);
- for (i = 0; i < 10; i++) {
+ for (i = 0; i < MAX_HEADER_PAGES; i++) {
if (state->headbuf[i]) {
refbuf_release(state->headbuf[i]);
state->headbuf[i] = NULL;
@@ -81,19 +83,19 @@
free(self);
}
-refbuf_t *format_vorbis_get_buffer(format_plugin_t *self, char *data, unsigned long len)
+int format_vorbis_get_buffer(format_plugin_t *self, char *data, unsigned long len, refbuf_t **buffer)
{
- char *buffer;
- refbuf_t *refbuf;
+ char *buf;
int i, result;
ogg_packet op;
char *tag;
+ refbuf_t *refbuf;
vstate_t *state = (vstate_t *)self->_state;
if (data) {
/* write the data to the buffer */
- buffer = ogg_sync_buffer(&state->oy, len);
- memcpy(buffer, data, len);
+ buf = ogg_sync_buffer(&state->oy, len);
+ memcpy(buf, data, len);
ogg_sync_wrote(&state->oy, len);
}
@@ -109,7 +111,7 @@
state->packets = 0;
/* release old headers, stream state, vorbis data */
- for (i = 0; i < 10; i++) {
+ for (i = 0; i < MAX_HEADER_PAGES; i++) {
if (state->headbuf[i]) {
refbuf_release(state->headbuf[i]);
state->headbuf[i] = NULL;
@@ -150,6 +152,10 @@
/* cache header pages */
if (state->header > 0) {
+ if(state->header > MAX_HEADER_PAGES) {
+ refbuf_release(refbuf);
+ return -1;
+ }
refbuf_addref(refbuf);
state->headbuf[state->header - 1] = refbuf;
@@ -174,7 +180,8 @@
}
}
- return refbuf;
+ *buffer = refbuf;
+ return 0;
}
refbuf_queue_t *format_vorbis_get_predata(format_plugin_t *self)
@@ -184,7 +191,7 @@
vstate_t *state = (vstate_t *)self->_state;
queue = NULL;
- for (i = 0; i < 10; i++) {
+ for (i = 0; i < MAX_HEADER_PAGES; i++) {
if (state->headbuf[i]) {
refbuf_addref(state->headbuf[i]);
refbuf_queue_add(&queue, state->headbuf[i]);
<p><p>1.11 +12 -2 icecast/src/source.c
Index: source.c
===================================================================
RCS file: /usr/local/cvsroot/icecast/src/source.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- source.c 2002/03/22 21:18:03 1.10
+++ source.c 2002/04/05 09:28:25 1.11
@@ -147,7 +147,11 @@
stats_event(source->mount, "description", s);
while (global.running == ICE_RUNNING) {
- refbuf = source->format->get_buffer(source->format, NULL, 0);
+ int ret = source->format->get_buffer(source->format, NULL, 0, &refbuf);
+ if(ret < 0) {
+ WARN0("Bad data from source");
+ break;
+ }
while (refbuf == NULL) {
bytes = 0;
while (bytes <= 0) {
@@ -167,7 +171,11 @@
if (bytes == 0 || (bytes < 0 && !sock_recoverable(sock_error()))) break;
}
if (bytes <= 0) break;
- refbuf = source->format->get_buffer(source->format, buffer, bytes);
+ ret = source->format->get_buffer(source->format, buffer, bytes, &refbuf);
+ if(ret < 0) {
+ WARN0("Bad data from source");
+ goto done;
+ }
}
if (bytes <= 0) {
@@ -332,6 +340,8 @@
/* release write lock on client_tree */
avl_tree_unlock(source->client_tree);
}
+
+done:
printf("DEBUG: we're going down...\n");
<p><p>1.5 +6 -2 httpp/httpp.c
Index: httpp.c
===================================================================
RCS file: /usr/local/cvsroot/httpp/httpp.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- httpp.c 2002/02/11 09:11:18 1.4
+++ httpp.c 2002/04/05 09:28:25 1.5
@@ -3,6 +3,8 @@
** http parsing engine
*/
+#include <stdio.h>
+
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
@@ -15,6 +17,8 @@
#define strcasecmp stricmp
#endif
+#define MAX_HEADERS 32
+
/* internal functions */
/* misc */
@@ -48,7 +52,7 @@
int httpp_parse(http_parser_t *parser, char *http_data, unsigned long len)
{
char *data, *tmp;
- char *line[32]; /* limited to 32 lines, should be more than enough */
+ char *line[MAX_HEADERS]; /* limited to 32 lines, should be more than enough */
int i, l, retlen;
int lines;
char *req_type = NULL;
@@ -73,7 +77,7 @@
*/
lines = 0;
line[lines] = data;
- for (i = 0; i < len; i++) {
+ for (i = 0; i < len && lines < MAX_HEADERS; i++) {
if (data[i] == '\r')
data[i] = '\0';
if (data[i] == '\n') {
<p><p>1.7 +3 -1 log/log.c
Index: log.c
===================================================================
RCS file: /usr/local/cvsroot/log/log.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- log.c 2002/01/29 09:20:27 1.6
+++ log.c 2002/04/05 09:28:26 1.7
@@ -35,7 +35,7 @@
char *filename;
FILE *logfile;
- char *buffer;
+ char *buffer;
} log_t;
log_t loglist[LOG_MAXLOGS];
@@ -170,7 +170,9 @@
va_list ap;
if (log_id < 0) return;
+ if (log_id > LOG_MAXLOGS) return; /* Bad log number */
if (loglist[log_id].level < priority) return;
+ if (priority > 4) return; /* Bad priority */
va_start(ap, fmt);
<p><p><p>--- >8 ----
List archives: http://www.xiph.org/archives/
Ogg project homepage: http://www.xiph.org/ogg/
To unsubscribe from this list, send a message to 'cvs-request at xiph.org'
containing only the word 'unsubscribe' in the body. No subject is needed.
Unsubscribe messages sent to the list will be ignored/filtered.
More information about the commits
mailing list