changeset 30749:88cd611f49dd

Improve integer overflow and realloc error handling in playlist parser.
author reimar
date Sun, 28 Feb 2010 09:37:35 +0000
parents 923f55aafcf6
children b9ec8956164f
files playtreeparser.c
diffstat 1 files changed, 18 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/playtreeparser.c	Sun Feb 28 07:52:34 2010 +0000
+++ b/playtreeparser.c	Sun Feb 28 09:37:35 2010 +0000
@@ -30,6 +30,7 @@
 #include <fcntl.h>
 #include <unistd.h>
 #include <ctype.h>
+#include <limits.h>
 #include "asxparser.h"
 #include "m_config.h"
 #include "playtree.h"
@@ -80,8 +81,15 @@
   while(1) {
 
     if(resize) {
+      char *tmp;
       r = p->iter - p->buffer;
-      p->buffer = realloc(p->buffer, p->buffer_size + BUF_STEP);
+      end = p->buffer + p->buffer_end;
+      if (p->buffer_size > INT_MAX - BUF_STEP)
+        break;
+      tmp = realloc(p->buffer, p->buffer_size + BUF_STEP);
+      if (!tmp)
+        break;
+      p->buffer = tmp;
       p->iter = p->buffer + r;
       p->buffer_size += BUF_STEP;
       resize = 0;
@@ -238,6 +246,7 @@
 pls_read_entry(char* line,pls_entry_t** _e,int* _max_entry,char** val) {
   int num,max_entry = (*_max_entry);
   pls_entry_t* e = (*_e);
+  int limit = INT_MAX / sizeof(*e);
   char* v;
 
   v = pls_entry_get_value(line);
@@ -247,12 +256,18 @@
   }
 
   num = atoi(line);
-  if(num < 0) {
+  if(num < 0 || num > limit) {
+    if (max_entry >= limit) {
+        mp_msg(MSGT_PLAYTREE, MSGL_WARN, "Too many index entries\n");
+        return 0;
+    }
     num = max_entry+1;
-    mp_msg(MSGT_PLAYTREE,MSGL_WARN,"No entry index in entry %s\nAssuming %d\n",line,num);
+    mp_msg(MSGT_PLAYTREE,MSGL_WARN,"No or invalid entry index in entry %s\nAssuming %d\n",line,num);
   }
   if(num > max_entry) {
     e = realloc(e, num * sizeof(pls_entry_t));
+    if (!e)
+      return 0;
     memset(&e[max_entry],0,(num-max_entry)*sizeof(pls_entry_t));
     max_entry = num;
   }