'[Filesystem-cvs] http httpfsys.cpp,1.72.2.22.2.3,1.72.2.22.2.3.4.1'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       helix-filesystem-cvs
Subject:    [Filesystem-cvs] http httpfsys.cpp,1.72.2.22.2.3,1.72.2.22.2.3.4.1
From:       kprcela () helixcommunity ! org
Date:       2009-10-02 10:35:49
Message-ID: 200910021146.n92Bk0AQ025467 () mailer ! progressive-comp ! com
[Download RAW message or body]

Update of /cvsroot/filesystem/http
In directory cvs01.internal.helixcommunity.org:/tmp/cvs-serv26432

Modified Files:
      Tag: ospreygold
	httpfsys.cpp 
Log Message:
Modified by: kprcela at real.com
Reviewed by: ehyche at real.com
Project: osprey

Synopsis
===============
Fix for Bugzilla Bug 246906: Security Vulnerability: ZDI-CAN-509: SMIL File Format \
StreamTitle Heap Corruption Vulnerability

Details
===============
I successfuly reproduced this crash once by following the steps inside bug \
description.

The fix that has been made in HEAD branch is tested again and it solves this crash or \
indefinite registry writing process.

The problem was in calculation of song title length where empty title has not been \
assumed and thus has not been properly handled. 

In code:
pTemp = HXFindCharN(pMetaStart, ';', ulMetaLength);
if (pTemp)
{
nLen = (pTemp - 1) - (pMetaStart);
...
If pMetaStart string starts with ';' the nLen is equal to -1 and it is observed as \
proper string length.  Thus, the if condition is changed to be sure that song title \
is not empty: if (pTemp && (pTemp-1) > pMetaStart)

Branches
===============
hxclient_2_0_4_cayenne

Modules/files affected
=============================
Changed:
filesystem/http/httpfsys.cpp

Platforms and Profiles Affected:
==================================
x86 Windows XP SP2

Copyright assignment:
==================================
I am a RealNetworks employee or contractor

Index: httpfsys.cpp
===================================================================
RCS file: /cvsroot/filesystem/http/httpfsys.cpp,v
retrieving revision 1.72.2.22.2.3
retrieving revision 1.72.2.22.2.3.4.1
diff -u -d -r1.72.2.22.2.3 -r1.72.2.22.2.3.4.1

--- httpfsys.cpp	18 Jan 2008 20:37:48 -0000	1.72.2.22.2.3
+++ httpfsys.cpp	2 Oct 2009 10:35:46 -0000	1.72.2.22.2.3.4.1
@@ -8714,7 +8714,7 @@
                         // Get the length of just the song title
                         pTemp = HXFindCharN(pMetaStart, ';', ulMetaLength);
                         
-                        if (pTemp)
+                        if (pTemp && (pTemp-1) > pMetaStart)
                         {
                             nLen = (pTemp - 1) - (pMetaStart);
                         }


_______________________________________________
Filesystem-cvs mailing list
Filesystem-cvs@helixcommunity.org
http://lists.helixcommunity.org/mailman/listinfo/filesystem-cvs


[prev in list] [next in list] [prev in thread] [next in thread] 
