Skip to content

Commit c4d3498

Browse files
sauwmingnanangizzalichtmaneoff
authored
Merge pull request from GHSA-fq45-m3f7-3mhj
* Initial patch * Use 'pj_scan_is_eof(scanner)' Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com> * Use 'pj_scan_is_eof(scanner)' Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com> * Use 'pj_scan_is_eof(scanner)' Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com> * Use `!pj_scan_is_eof` instead of manually checking `scanner->curptr < scanner->end` Co-authored-by: Maksim Mukosey <mmukosey@gmail.com> * Update pjlib-util/src/pjlib-util/scanner.c Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com> * Update pjlib-util/src/pjlib-util/scanner.c Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com> * Update pjlib-util/src/pjlib-util/scanner.c Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com> * Revert '>=' back to '>' in pj_scan_stricmp_alnum() * Fix error compiles. Co-authored-by: Nanang Izzuddin <nanang@teluu.com> Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com> Co-authored-by: Maksim Mukosey <mmukosey@gmail.com>
1 parent e948f48 commit c4d3498

File tree

3 files changed

+48
-28
lines changed

3 files changed

+48
-28
lines changed

Diff for: pjlib-util/src/pjlib-util/scanner.c

+27-14
Original file line numberDiff line numberDiff line change
@@ -195,7 +195,13 @@ PJ_DEF(void) pj_scan_skip_whitespace( pj_scanner *scanner )
195195

196196
PJ_DEF(void) pj_scan_skip_line( pj_scanner *scanner )
197197
{
198-
char *s = pj_memchr(scanner->curptr, '\n', scanner->end - scanner->curptr);
198+
char *s;
199+
200+
if (pj_scan_is_eof(scanner)) {
201+
return;
202+
}
203+
204+
s = pj_memchr(scanner->curptr, '\n', scanner->end - scanner->curptr);
199205
if (!s) {
200206
scanner->curptr = scanner->end;
201207
} else {
@@ -264,8 +270,7 @@ PJ_DEF(void) pj_scan_get( pj_scanner *scanner,
264270

265271
pj_assert(pj_cis_match(spec,0)==0);
266272

267-
/* EOF is detected implicitly */
268-
if (!pj_cis_match(spec, *s)) {
273+
if (pj_scan_is_eof(scanner) || !pj_cis_match(spec, *s)) {
269274
pj_scan_syntax_err(scanner);
270275
return;
271276
}
@@ -299,8 +304,7 @@ PJ_DEF(void) pj_scan_get_unescape( pj_scanner *scanner,
299304
/* Must not match character '%' */
300305
pj_assert(pj_cis_match(spec,'%')==0);
301306

302-
/* EOF is detected implicitly */
303-
if (!pj_cis_match(spec, *s) && *s != '%') {
307+
if (pj_scan_is_eof(scanner) || !pj_cis_match(spec, *s) && *s != '%') {
304308
pj_scan_syntax_err(scanner);
305309
return;
306310
}
@@ -436,7 +440,9 @@ PJ_DEF(void) pj_scan_get_n( pj_scanner *scanner,
436440

437441
scanner->curptr += N;
438442

439-
if (PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && scanner->skip_ws) {
443+
if (!pj_scan_is_eof(scanner) &&
444+
PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && scanner->skip_ws)
445+
{
440446
pj_scan_skip_whitespace(scanner);
441447
}
442448
}
@@ -467,15 +473,16 @@ PJ_DEF(int) pj_scan_get_char( pj_scanner *scanner )
467473

468474
PJ_DEF(void) pj_scan_get_newline( pj_scanner *scanner )
469475
{
470-
if (!PJ_SCAN_IS_NEWLINE(*scanner->curptr)) {
476+
if (pj_scan_is_eof(scanner) || !PJ_SCAN_IS_NEWLINE(*scanner->curptr)) {
471477
pj_scan_syntax_err(scanner);
472478
return;
473479
}
474480

481+
/* We have checked scanner->curptr validity above */
475482
if (*scanner->curptr == '\r') {
476483
++scanner->curptr;
477484
}
478-
if (*scanner->curptr == '\n') {
485+
if (!pj_scan_is_eof(scanner) && *scanner->curptr == '\n') {
479486
++scanner->curptr;
480487
}
481488

@@ -520,7 +527,9 @@ PJ_DEF(void) pj_scan_get_until( pj_scanner *scanner,
520527

521528
scanner->curptr = s;
522529

523-
if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {
530+
if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&
531+
scanner->skip_ws)
532+
{
524533
pj_scan_skip_whitespace(scanner);
525534
}
526535
}
@@ -544,7 +553,9 @@ PJ_DEF(void) pj_scan_get_until_ch( pj_scanner *scanner,
544553

545554
scanner->curptr = s;
546555

547-
if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {
556+
if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&
557+
scanner->skip_ws)
558+
{
548559
pj_scan_skip_whitespace(scanner);
549560
}
550561
}
@@ -570,7 +581,9 @@ PJ_DEF(void) pj_scan_get_until_chr( pj_scanner *scanner,
570581

571582
scanner->curptr = s;
572583

573-
if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {
584+
if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&
585+
scanner->skip_ws)
586+
{
574587
pj_scan_skip_whitespace(scanner);
575588
}
576589
}
@@ -585,7 +598,9 @@ PJ_DEF(void) pj_scan_advance_n( pj_scanner *scanner,
585598

586599
scanner->curptr += N;
587600

588-
if (PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && skip_ws) {
601+
if (!pj_scan_is_eof(scanner) &&
602+
PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && skip_ws)
603+
{
589604
pj_scan_skip_whitespace(scanner);
590605
}
591606
}
@@ -636,5 +651,3 @@ PJ_DEF(void) pj_scan_restore_state( pj_scanner *scanner,
636651
scanner->line = state->line;
637652
scanner->start_line = state->start_line;
638653
}
639-
640-

Diff for: pjmedia/src/pjmedia/rtp.c

+7-4
Original file line numberDiff line numberDiff line change
@@ -188,6 +188,11 @@ PJ_DEF(pj_status_t) pjmedia_rtp_decode_rtp2(
188188
/* Payload is located right after header plus CSRC */
189189
offset = sizeof(pjmedia_rtp_hdr) + ((*hdr)->cc * sizeof(pj_uint32_t));
190190

191+
/* Check that offset is less than packet size */
192+
if (offset >= pkt_len) {
193+
return PJMEDIA_RTP_EINLEN;
194+
}
195+
191196
/* Decode RTP extension. */
192197
if ((*hdr)->x) {
193198
if (offset + sizeof (pjmedia_rtp_ext_hdr) > (unsigned)pkt_len)
@@ -202,8 +207,8 @@ PJ_DEF(pj_status_t) pjmedia_rtp_decode_rtp2(
202207
dec_hdr->ext_len = 0;
203208
}
204209

205-
/* Check that offset is less than packet size */
206-
if (offset > pkt_len)
210+
/* Check again that offset is still less than packet size */
211+
if (offset >= pkt_len)
207212
return PJMEDIA_RTP_EINLEN;
208213

209214
/* Find and set payload. */
@@ -393,5 +398,3 @@ void pjmedia_rtp_seq_update( pjmedia_rtp_seq_session *sess,
393398
seq_status->status.value = st.status.value;
394399
}
395400
}
396-
397-

Diff for: pjmedia/src/pjmedia/sdp.c

+14-10
Original file line numberDiff line numberDiff line change
@@ -983,13 +983,13 @@ static void parse_version(pj_scanner *scanner,
983983
ctx->last_error = PJMEDIA_SDP_EINVER;
984984

985985
/* check equal sign */
986-
if (*(scanner->curptr+1) != '=') {
986+
if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
987987
on_scanner_error(scanner);
988988
return;
989989
}
990990

991991
/* check version is 0 */
992-
if (*(scanner->curptr+2) != '0') {
992+
if (scanner->curptr+2 >= scanner->end || *(scanner->curptr+2) != '0') {
993993
on_scanner_error(scanner);
994994
return;
995995
}
@@ -1006,7 +1006,7 @@ static void parse_origin(pj_scanner *scanner, pjmedia_sdp_session *ses,
10061006
ctx->last_error = PJMEDIA_SDP_EINORIGIN;
10071007

10081008
/* check equal sign */
1009-
if (*(scanner->curptr+1) != '=') {
1009+
if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
10101010
on_scanner_error(scanner);
10111011
return;
10121012
}
@@ -1052,7 +1052,7 @@ static void parse_time(pj_scanner *scanner, pjmedia_sdp_session *ses,
10521052
ctx->last_error = PJMEDIA_SDP_EINTIME;
10531053

10541054
/* check equal sign */
1055-
if (*(scanner->curptr+1) != '=') {
1055+
if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
10561056
on_scanner_error(scanner);
10571057
return;
10581058
}
@@ -1080,7 +1080,7 @@ static void parse_generic_line(pj_scanner *scanner, pj_str_t *str,
10801080
ctx->last_error = PJMEDIA_SDP_EINSDP;
10811081

10821082
/* check equal sign */
1083-
if (*(scanner->curptr+1) != '=') {
1083+
if ((scanner->curptr+1 >= scanner->end) || *(scanner->curptr+1) != '=') {
10841084
on_scanner_error(scanner);
10851085
return;
10861086
}
@@ -1149,7 +1149,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,
11491149
ctx->last_error = PJMEDIA_SDP_EINMEDIA;
11501150

11511151
/* check the equal sign */
1152-
if (*(scanner->curptr+1) != '=') {
1152+
if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
11531153
on_scanner_error(scanner);
11541154
return;
11551155
}
@@ -1164,6 +1164,10 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,
11641164
/* port */
11651165
pj_scan_get(scanner, &cs_token, &str);
11661166
med->desc.port = (unsigned short)pj_strtoul(&str);
1167+
if (pj_scan_is_eof(scanner)) {
1168+
on_scanner_error(scanner);
1169+
return;
1170+
}
11671171
if (*scanner->curptr == '/') {
11681172
/* port count */
11691173
pj_scan_get_char(scanner);
@@ -1175,15 +1179,15 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,
11751179
}
11761180

11771181
if (pj_scan_get_char(scanner) != ' ') {
1178-
PJ_THROW(SYNTAX_ERROR);
1182+
on_scanner_error(scanner);
11791183
}
11801184

11811185
/* transport */
11821186
pj_scan_get_until_chr(scanner, " \t\r\n", &med->desc.transport);
11831187

11841188
/* format list */
11851189
med->desc.fmt_count = 0;
1186-
while (*scanner->curptr == ' ') {
1190+
while (scanner->curptr < scanner->end && *scanner->curptr == ' ') {
11871191
pj_str_t fmt;
11881192

11891193
pj_scan_get_char(scanner);
@@ -1223,7 +1227,7 @@ static pjmedia_sdp_attr *parse_attr( pj_pool_t *pool, pj_scanner *scanner,
12231227
attr = PJ_POOL_ALLOC_T(pool, pjmedia_sdp_attr);
12241228

12251229
/* check equal sign */
1226-
if (*(scanner->curptr+1) != '=') {
1230+
if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
12271231
on_scanner_error(scanner);
12281232
return NULL;
12291233
}
@@ -1242,7 +1246,7 @@ static pjmedia_sdp_attr *parse_attr( pj_pool_t *pool, pj_scanner *scanner,
12421246
pj_scan_get_char(scanner);
12431247

12441248
/* get value */
1245-
if (*scanner->curptr != '\r' && *scanner->curptr != '\n') {
1249+
if (!pj_scan_is_eof(scanner) && *scanner->curptr != '\r' && *scanner->curptr != '\n') {
12461250
pj_scan_get_until_chr(scanner, "\r\n", &attr->value);
12471251
} else {
12481252
attr->value.ptr = NULL;

0 commit comments

Comments
 (0)