storm/minidlna
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

* Prevent a buffer overflow when an item's description is very long.

Browse Source
This commit is contained in:
Justin Maggard 2009-05-05 02:15:44 +00:00
parent 0229ee64ee
commit 392654a234
1 changed files with 18 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
upnpsoap.c
View File

@ -481,7 +481,7 @@ callback(void *args, int argc, char **argv, char **azColName)
}
}
}
ret = sprintf(str_buf, "<item id=\"%s\" parentID=\"%s\" restricted=\"1\"", id, parent);
ret = snprintf(str_buf, 512, "<item id=\"%s\" parentID=\"%s\" restricted=\"1\"", id, parent);
memcpy(passed_args->resp+passed_args->size, &str_buf, ret+1);
passed_args->size += ret;
if( refID && (passed_args->filter & FILTER_REFID) ) {
@ -489,39 +489,39 @@ callback(void *args, int argc, char **argv, char **azColName)
memcpy(passed_args->resp+passed_args->size, &str_buf, ret+1);
passed_args->size += ret;
}
ret = sprintf(str_buf, ">"
"<dc:title>%s</dc:title>"
"<upnp:class>object.%s</upnp:class>",
title, class);
ret = snprintf(str_buf, 512, ">"
"<dc:title>%s</dc:title>"
"<upnp:class>object.%s</upnp:class>",
title, class);
memcpy(passed_args->resp+passed_args->size, &str_buf, ret+1);
passed_args->size += ret;
if( comment && (passed_args->filter & FILTER_DC_DESCRIPTION) ) {
ret = sprintf(str_buf, "<dc:description>%s</dc:description>", comment);
ret = snprintf(str_buf, 512, "<dc:description>%.384s</dc:description>", comment);
memcpy(passed_args->resp+passed_args->size, &str_buf, ret+1);
passed_args->size += ret;
}
if( creator && (passed_args->filter & FILTER_DC_CREATOR) ) {
ret = sprintf(str_buf, "<dc:creator>%s</dc:creator>", creator);
ret = snprintf(str_buf, 512, "<dc:creator>%s</dc:creator>", creator);
memcpy(passed_args->resp+passed_args->size, &str_buf, ret+1);
passed_args->size += ret;
}
if( date && (passed_args->filter & FILTER_DC_DATE) ) {
ret = sprintf(str_buf, "<dc:date>%s</dc:date>", date);
ret = snprintf(str_buf, 512, "<dc:date>%s</dc:date>", date);
memcpy(passed_args->resp+passed_args->size, &str_buf, ret+1);
passed_args->size += ret;
}
if( artist && (passed_args->filter & FILTER_UPNP_ARTIST) ) {
ret = sprintf(str_buf, "<upnp:artist>%s</upnp:artist>", artist);
ret = snprintf(str_buf, 512, "<upnp:artist>%s</upnp:artist>", artist);
memcpy(passed_args->resp+passed_args->size, &str_buf, ret+1);
passed_args->size += ret;
}
if( album && (passed_args->filter & FILTER_UPNP_ALBUM) ) {
ret = sprintf(str_buf, "<upnp:album>%s</upnp:album>", album);
ret = snprintf(str_buf, 512, "<upnp:album>%s</upnp:album>", album);
memcpy(passed_args->resp+passed_args->size, &str_buf, ret+1);
passed_args->size += ret;
}
if( genre && (passed_args->filter & FILTER_UPNP_GENRE) ) {
ret = sprintf(str_buf, "<upnp:genre>%s</upnp:genre>", genre);
ret = snprintf(str_buf, 512, "<upnp:genre>%s</upnp:genre>", genre);
memcpy(passed_args->resp+passed_args->size, &str_buf, ret+1);
passed_args->size += ret;
}
@ -642,24 +642,24 @@ callback(void *args, int argc, char **argv, char **azColName)
passed_args->size += ret;
}
}
ret = sprintf(str_buf, ">"
"<dc:title>%s</dc:title>"
"<upnp:class>object.%s</upnp:class>",
title, class);
ret = snprintf(str_buf, 512, ">"
"<dc:title>%s</dc:title>"
"<upnp:class>object.%s</upnp:class>",
title, class);
memcpy(passed_args->resp+passed_args->size, &str_buf, ret+1);
passed_args->size += ret;
if( creator && (passed_args->filter & FILTER_DC_CREATOR) ) {
ret = sprintf(str_buf, "<dc:creator>%s</dc:creator>", creator);
ret = snprintf(str_buf, 512, "<dc:creator>%s</dc:creator>", creator);
memcpy(passed_args->resp+passed_args->size, &str_buf, ret+1);
passed_args->size += ret;
}
if( genre && (passed_args->filter & FILTER_UPNP_GENRE) ) {
ret = sprintf(str_buf, "<upnp:genre>%s</upnp:genre>", genre);
ret = snprintf(str_buf, 512, "<upnp:genre>%s</upnp:genre>", genre);
memcpy(passed_args->resp+passed_args->size, &str_buf, ret+1);
passed_args->size += ret;
}
if( artist && (passed_args->filter & FILTER_UPNP_ARTIST) ) {
ret = sprintf(str_buf, "<upnp:artist>%s</upnp:artist>", artist);
ret = snprintf(str_buf, 512, "<upnp:artist>%s</upnp:artist>", artist);
memcpy(passed_args->resp+passed_args->size, &str_buf, ret+1);
passed_args->size += ret;
}