[prev in list] [next in list] [prev in thread] [next in thread]
List: helix-filesystem-cvs
Subject: [Filesystem-cvs] http httpfsys.cpp,1.72.2.22.2.3,1.72.2.22.2.3.4.1
From: kprcela () helixcommunity ! org
Date: 2009-10-02 10:35:49
Message-ID: 200910021146.n92Bk0AQ025467 () mailer ! progressive-comp ! com
[Download RAW message or body]
Update of /cvsroot/filesystem/http
In directory cvs01.internal.helixcommunity.org:/tmp/cvs-serv26432
Modified Files:
Tag: ospreygold
httpfsys.cpp
Log Message:
Modified by: kprcela at real.com
Reviewed by: ehyche at real.com
Project: osprey
Synopsis
===============
Fix for Bugzilla Bug 246906: Security Vulnerability: ZDI-CAN-509: SMIL File Format \
StreamTitle Heap Corruption Vulnerability
Details
===============
I successfuly reproduced this crash once by following the steps inside bug \
description.
The fix that has been made in HEAD branch is tested again and it solves this crash or \
indefinite registry writing process.
The problem was in calculation of song title length where empty title has not been \
assumed and thus has not been properly handled.
In code:
pTemp = HXFindCharN(pMetaStart, ';', ulMetaLength);
if (pTemp)
{
nLen = (pTemp - 1) - (pMetaStart);
...
If pMetaStart string starts with ';' the nLen is equal to -1 and it is observed as \
proper string length. Thus, the if condition is changed to be sure that song title \
is not empty: if (pTemp && (pTemp-1) > pMetaStart)
Branches
===============
hxclient_2_0_4_cayenne
Modules/files affected
=============================
Changed:
filesystem/http/httpfsys.cpp
Platforms and Profiles Affected:
==================================
x86 Windows XP SP2
Copyright assignment:
==================================
I am a RealNetworks employee or contractor
Index: httpfsys.cpp
===================================================================
RCS file: /cvsroot/filesystem/http/httpfsys.cpp,v
retrieving revision 1.72.2.22.2.3
retrieving revision 1.72.2.22.2.3.4.1
diff -u -d -r1.72.2.22.2.3 -r1.72.2.22.2.3.4.1
--- httpfsys.cpp 18 Jan 2008 20:37:48 -0000 1.72.2.22.2.3
+++ httpfsys.cpp 2 Oct 2009 10:35:46 -0000 1.72.2.22.2.3.4.1
@@ -8714,7 +8714,7 @@
// Get the length of just the song title
pTemp = HXFindCharN(pMetaStart, ';', ulMetaLength);
- if (pTemp)
+ if (pTemp && (pTemp-1) > pMetaStart)
{
nLen = (pTemp - 1) - (pMetaStart);
}
_______________________________________________
Filesystem-cvs mailing list
Filesystem-cvs@helixcommunity.org
http://lists.helixcommunity.org/mailman/listinfo/filesystem-cvs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic