* Fix a crash bug with certain invalid Browse or Search requests.

2011-08-18 18:52:58 +00:00 · 2011-08-18 18:52:58 +00:00 · c599ed3a9f
commit c599ed3a9f
parent f7202b9564
1 changed files with 39 additions and 41 deletions
--- a/upnpsoap.c
+++ b/upnpsoap.c
@ -983,22 +983,28 @@ BrowseContentDirectory(struct upnphttp * h, const char * action)
 			"<Result>"
 			"&lt;DIDL-Lite"
 			CONTENT_DIRECTORY_SCHEMAS;
-	char *zErrMsg = 0;
+	char *zErrMsg = NULL;
 	char *sql, *ptr;
 	int ret;
 	struct Response args;
 	struct string_s str;
 	int totalMatches;
 	int ret;
 	char *ObjectID, *Filter, *BrowseFlag, *SortCriteria;
 	char *orderBy = NULL;
 	struct NameValueParserData data;
 	ParseNameValue(h->req_buf + h->req_contentoff, h->req_contentlen, &data);
 	char * ObjectID = GetValueFromNameValueList(&data, "ObjectID");
 	char * Filter = GetValueFromNameValueList(&data, "Filter");
 	char * BrowseFlag = GetValueFromNameValueList(&data, "BrowseFlag");
 	char * SortCriteria = GetValueFromNameValueList(&data, "SortCriteria");
 	char * orderBy = NULL;
 	int RequestedCount = 0;
 	int StartingIndex = 0;
 	memset(&args, 0, sizeof(args));
 	memset(&str, 0, sizeof(str));
 	ParseNameValue(h->req_buf + h->req_contentoff, h->req_contentlen, &data);
 	ObjectID = GetValueFromNameValueList(&data, "ObjectID");
 	Filter = GetValueFromNameValueList(&data, "Filter");
 	BrowseFlag = GetValueFromNameValueList(&data, "BrowseFlag");
 	SortCriteria = GetValueFromNameValueList(&data, "SortCriteria");
 	if( (ptr = GetValueFromNameValueList(&data, "RequestedCount")) )
 		RequestedCount = atoi(ptr);
 	if( !RequestedCount )
@ -1015,8 +1021,6 @@ BrowseContentDirectory(struct upnphttp * h, const char * action)
 		SoapError(h, 701, "No such object error");
 		goto browse_error;
 	}
 	memset(&args, 0, sizeof(args));
 	memset(&str, 0, sizeof(str));
 	str.data = malloc(DEFAULT_RESP_SIZE);
 	str.size = DEFAULT_RESP_SIZE;
@ -1171,25 +1175,29 @@ SearchContentDirectory(struct upnphttp * h, const char * action)
 			"<Result>"
 			"&lt;DIDL-Lite"
 			CONTENT_DIRECTORY_SCHEMAS;
-	char *zErrMsg = 0;
+	char *zErrMsg = NULL;
 	char *sql, *ptr;
 	char **result;
 	struct Response args;
 	struct string_s str;
-	int totalMatches = 0;
+	int totalMatches;
 	int ret;
-
+	char *ContainerID, *Filter, *SearchCriteria, *SortCriteria;
-	struct NameValueParserData data;
+	char *newSearchCriteria = NULL, *orderBy = NULL;
 	ParseNameValue(h->req_buf + h->req_contentoff, h->req_contentlen, &data);
 	char * ContainerID = GetValueFromNameValueList(&data, "ContainerID");
 	char * Filter = GetValueFromNameValueList(&data, "Filter");
 	char * SearchCriteria = GetValueFromNameValueList(&data, "SearchCriteria");
 	char * SortCriteria = GetValueFromNameValueList(&data, "SortCriteria");
 	char * newSearchCriteria = NULL;
 	char * orderBy = NULL;
 	char groupBy[] = "group by DETAIL_ID";
 	struct NameValueParserData data;
 	int RequestedCount = 0;
 	int StartingIndex = 0;
 	memset(&args, 0, sizeof(args));
 	memset(&str, 0, sizeof(str));
 	ParseNameValue(h->req_buf + h->req_contentoff, h->req_contentlen, &data);
 	ContainerID = GetValueFromNameValueList(&data, "ContainerID");
 	Filter = GetValueFromNameValueList(&data, "Filter");
 	SearchCriteria = GetValueFromNameValueList(&data, "SearchCriteria");
 	SortCriteria = GetValueFromNameValueList(&data, "SortCriteria");
 	if( (ptr = GetValueFromNameValueList(&data, "RequestedCount")) )
 		RequestedCount = atoi(ptr);
 	if( !RequestedCount )
@ -1204,8 +1212,6 @@ SearchContentDirectory(struct upnphttp * h, const char * action)
 			goto search_error;
 		}
 	}
 	memset(&args, 0, sizeof(args));
 	memset(&str, 0, sizeof(str));
 	str.data = malloc(DEFAULT_RESP_SIZE);
 	str.size = DEFAULT_RESP_SIZE;
@ -1317,22 +1323,14 @@ SearchContentDirectory(struct upnphttp * h, const char * action)
 	}
 	DPRINTF(E_DEBUG, L_HTTP, "Translated SearchCriteria: %s\n", SearchCriteria);
-	sql = sqlite3_mprintf("SELECT (select count(distinct DETAIL_ID)"
+	totalMatches = sql_get_int_field(db, "SELECT (select count(distinct DETAIL_ID)"
-	                      " from OBJECTS o left join DETAILS d on (o.DETAIL_ID = d.ID)"
+	                                     " from OBJECTS o left join DETAILS d on (o.DETAIL_ID = d.ID)"
-	                      " where (OBJECT_ID glob '%s$*') and (%s))"
+	                                     " where (OBJECT_ID glob '%s$*') and (%s))"
-	                      " + "
+	                                     " + "
-	                      "(select count(*) from OBJECTS o left join DETAILS d on (o.DETAIL_ID = d.ID)"
+	                                     "(select count(*) from OBJECTS o left join DETAILS d on (o.DETAIL_ID = d.ID)"
-	                      " where (OBJECT_ID = '%s') and (%s))",
+	                                     " where (OBJECT_ID = '%s') and (%s))",
-	                      ContainerID, SearchCriteria, ContainerID, SearchCriteria);
+	                                     ContainerID, SearchCriteria, ContainerID, SearchCriteria);
-	//DEBUG DPRINTF(E_DEBUG, L_HTTP, "Count SQL: %s\n", sql);
+	if( totalMatches < 0 )
 	ret = sql_get_table(db, sql, &result, NULL, NULL);
 	sqlite3_free(sql);
 	if( ret == SQLITE_OK )
 	{
 		totalMatches = atoi(result[1]);
 		sqlite3_free_table(result);
 	}
 	else
 	{
 		/* Must be invalid SQL, so most likely bad or unhandled search criteria. */
 		SoapError(h, 708, "Unsupported or invalid search criteria");