[prev in list] [next in list] [prev in thread] [next in thread]
List: helix-filesystem-cvs
Subject: [Filesystem-cvs] http httpfsys.cpp,1.134,1.135
From: kprcela () helixcommunity ! org
Date: 2009-10-06 7:24:45
Message-ID: 200910060834.n968Ykdx016751 () mailer ! progressive-comp ! com
[Download RAW message or body]
Update of /cvsroot/filesystem/http
In directory cvs01.internal.helixcommunity.org:/tmp/cvs-serv3995
Modified Files:
httpfsys.cpp
Log Message:
Modified by: kprcela at real.com
Reviewed by: ehyche at real.com
Project: osprey
Synopsis
===============
Fix for Bugzilla Bug 246906: Security Vulnerability: ZDI-CAN-509: SMIL File Format \
StreamTitle Heap Corruption Vulnerability
Details
===============
I successfuly reproduced this crash once by following the steps inside bug \
description.
The fix that has been made in HEAD branch is tested again and it solves this crash or \
indefinite registry writing process.
The problem was in calculation of song title length where empty title has not been \
assumed and thus has not been properly handled.
In code:
pTemp = HXFindCharN(pMetaStart, ';', ulMetaLength);
if (pTemp)
{
nLen = (pTemp - 1) - (pMetaStart);
...
If pMetaStart string starts with ';' the nLen is equal to -1 and it is observed as \
proper string length. Thus, the if condition is changed to be sure that song title \
is not empty: if (pTemp && (pTemp-1) > pMetaStart)
Branches
===============
Modules/files affected
=============================
Changed:
filesystem/http/httpfsys.cpp
Platforms and Profiles Affected:
==================================
x86 Windows XP SP2
Copyright assignment:
==================================
I am a RealNetworks employee or contractor
Index: httpfsys.cpp
===================================================================
RCS file: /cvsroot/filesystem/http/httpfsys.cpp,v
retrieving revision 1.134
retrieving revision 1.135
diff -u -d -r1.134 -r1.135
--- httpfsys.cpp 31 Aug 2009 14:17:13 -0000 1.134
+++ httpfsys.cpp 6 Oct 2009 07:24:42 -0000 1.135
@@ -9137,7 +9137,7 @@
// Get the length of just the song title
pTemp = HXFindCharN(pMetaStart, ';', ulMetaLength);
- if (pTemp)
+ if (pTemp && (pTemp-1) > pMetaStart)
{
nLen = (pTemp - 1) - (pMetaStart);
}
_______________________________________________
Filesystem-cvs mailing list
Filesystem-cvs@helixcommunity.org
http://lists.helixcommunity.org/mailman/listinfo/filesystem-cvs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic