'[Filesystem-cvs] http httpfsys.cpp,1.134,1.135'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       helix-filesystem-cvs
Subject:    [Filesystem-cvs] http httpfsys.cpp,1.134,1.135
From:       kprcela () helixcommunity ! org
Date:       2009-10-06 7:24:45
Message-ID: 200910060834.n968Ykdx016751 () mailer ! progressive-comp ! com
[Download RAW message or body]

Update of /cvsroot/filesystem/http
In directory cvs01.internal.helixcommunity.org:/tmp/cvs-serv3995

Modified Files:
	httpfsys.cpp 
Log Message:
Modified by: kprcela at real.com
Reviewed by: ehyche at real.com
Project: osprey

Synopsis
===============
Fix for Bugzilla Bug 246906: Security Vulnerability: ZDI-CAN-509: SMIL File Format \
StreamTitle Heap Corruption Vulnerability

Details
===============
I successfuly reproduced this crash once by following the steps inside bug \
description.

The fix that has been made in HEAD branch is tested again and it solves this crash or \
indefinite registry writing process.

The problem was in calculation of song title length where empty title has not been \
assumed and thus has not been properly handled. 

In code:
pTemp = HXFindCharN(pMetaStart, ';', ulMetaLength);
if (pTemp)
{
nLen = (pTemp - 1) - (pMetaStart);
...
If pMetaStart string starts with ';' the nLen is equal to -1 and it is observed as \
proper string length.  Thus, the if condition is changed to be sure that song title \
is not empty: if (pTemp && (pTemp-1) > pMetaStart)

Branches
===============

Modules/files affected
=============================
Changed:
filesystem/http/httpfsys.cpp

Platforms and Profiles Affected:
==================================
x86 Windows XP SP2

Copyright assignment:
==================================
I am a RealNetworks employee or contractor

Index: httpfsys.cpp
===================================================================
RCS file: /cvsroot/filesystem/http/httpfsys.cpp,v
retrieving revision 1.134
retrieving revision 1.135
diff -u -d -r1.134 -r1.135

--- httpfsys.cpp	31 Aug 2009 14:17:13 -0000	1.134
+++ httpfsys.cpp	6 Oct 2009 07:24:42 -0000	1.135
@@ -9137,7 +9137,7 @@
                         // Get the length of just the song title
                         pTemp = HXFindCharN(pMetaStart, ';', ulMetaLength);
                         
-                        if (pTemp)
+                        if (pTemp && (pTemp-1) > pMetaStart)
                         {
                             nLen = (pTemp - 1) - (pMetaStart);
                         }


_______________________________________________
Filesystem-cvs mailing list
Filesystem-cvs@helixcommunity.org
http://lists.helixcommunity.org/mailman/listinfo/filesystem-cvs


[prev in list] [next in list] [prev in thread] [next in thread] 
