[xiph-commits] r3887 - libfishsound/trunk/src/libfishsound

[conrad at svn.annodex.net]

Author: conrad
Date: 2009-03-18 23:29:03 -0700 (Wed, 18 Mar 2009)
New Revision: 3887

Modified:
   libfishsound/trunk/src/libfishsound/comments.c
Log:
clamp comment lengths to fit within 32 bits (including trailing NUL).
Fixes potential wrapping of strlen in fs_strdup, fs_strdup_len

Modified: libfishsound/trunk/src/libfishsound/comments.c
===================================================================
--- libfishsound/trunk/src/libfishsound/comments.c	2009-03-19 03:56:22 UTC (rev 3886)
+++ libfishsound/trunk/src/libfishsound/comments.c	2009-03-19 06:29:03 UTC (rev 3887)
@@ -44,8 +44,12 @@
 
 /*#define DEBUG*/
 
-/* Ensure comment vector length can be expressed in 32 bits */
-static unsigned long
+/* Ensure comment vector length can be expressed in 32 bits
+ * including space for the trailing NUL */
+#define MAX_COMMENT_LENGTH 0xFFFFFFFE
+#define fs_comment_clamp(c) MIN((c),MAX_COMMENT_LENGTH)
+
+static size_t
 fs_comment_len (const char * s)
 {
   size_t len;
@@ -53,7 +57,7 @@
   if (s == NULL) return 0;
 
   len = strlen (s);
-  return (unsigned long) MIN(len, 0xFFFFFFFF);
+  return fs_comment_clamp(len);
 }
 
 static char *
@@ -67,11 +71,12 @@
 }
 
 static char *
-fs_strdup_len (const char * s, int len)
+fs_strdup_len (const char * s, size_t len)
 {
   char * ret;
   if (s == NULL) return NULL;
   if (len == 0) return NULL;
+  len = fs_comment_clamp(len);
   ret = fs_malloc (len + 1);
   if (ret == NULL) return NULL;
   if (strncpy (ret, s, len) == NULL) {
@@ -421,7 +426,8 @@
 			    long length)
 {
    char *c= (char *)comments;
-   int len, i, nb_fields, n;
+   int i, nb_fields, n;
+   size_t len;
    char *end;
    char * name, * value, * nvalue = NULL;
    FishSoundComment * comment;