Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

clamp comment lengths to fit within 32 bits (including trailing NUL).

Fixes potential wrapping of strlen in fs_strdup, fs_strdup_len

git-svn-id: http://svn.annodex.net/libfishsound/trunk@3887 8158c8cd-e7e1-0310-9fa4-c5954c97daef
  • Loading branch information...
commit 9bee4284188944267a1fc38b15e52f6465babd93 1 parent a2e3019
conrad authored

Showing 1 changed file with 11 additions and 5 deletions. Show diff stats Hide diff stats

  1. +11 5 src/libfishsound/comments.c
16 src/libfishsound/comments.c
@@ -44,8 +44,12 @@
44 44
45 45 /*#define DEBUG*/
46 46
47   -/* Ensure comment vector length can be expressed in 32 bits */
48   -static unsigned long
  47 +/* Ensure comment vector length can be expressed in 32 bits
  48 + * including space for the trailing NUL */
  49 +#define MAX_COMMENT_LENGTH 0xFFFFFFFE
  50 +#define fs_comment_clamp(c) MIN((c),MAX_COMMENT_LENGTH)
  51 +
  52 +static size_t
49 53 fs_comment_len (const char * s)
50 54 {
51 55 size_t len;
@@ -53,7 +57,7 @@ fs_comment_len (const char * s)
53 57 if (s == NULL) return 0;
54 58
55 59 len = strlen (s);
56   - return (unsigned long) MIN(len, 0xFFFFFFFF);
  60 + return fs_comment_clamp(len);
57 61 }
58 62
59 63 static char *
@@ -67,11 +71,12 @@ fs_strdup (const char * s)
67 71 }
68 72
69 73 static char *
70   -fs_strdup_len (const char * s, int len)
  74 +fs_strdup_len (const char * s, size_t len)
71 75 {
72 76 char * ret;
73 77 if (s == NULL) return NULL;
74 78 if (len == 0) return NULL;
  79 + len = fs_comment_clamp(len);
75 80 ret = fs_malloc (len + 1);
76 81 if (ret == NULL) return NULL;
77 82 if (strncpy (ret, s, len) == NULL) {
@@ -421,7 +426,8 @@ fish_sound_comments_decode (FishSound * fsound, unsigned char * comments,
421 426 long length)
422 427 {
423 428 char *c= (char *)comments;
424   - int len, i, nb_fields, n;
  429 + int i, nb_fields, n;
  430 + size_t len;
425 431 char *end;
426 432 char * name, * value, * nvalue = NULL;
427 433 FishSoundComment * comment;

0 comments on commit 9bee428

Please sign in to comment.
Something went wrong with that request. Please try again.