Re #1703: fixing general bugs. First installment: correct handling of snprintf return value

git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@4613 74dad513-b988-da41-8d7b-12977e46ad98

3 files changed, 15 insertions, 10 deletions

diff --git a/pjsip/src/pjsua-lib/pjsua_acc.c b/pjsip/src/pjsua-lib/pjsua_acc.c
index 77d9a12c..8533c793 100644
--- a/pjsip/src/pjsua-lib/pjsua_acc.c
+++ b/pjsip/src/pjsua-lib/pjsua_acc.c
@@ -1749,7 +1749,7 @@ static pj_bool_t acc_check_nat_addr(pjsua_acc *acc,
 			       (acc->cfg.use_rfc5626? ob: ""),
 			       (int)acc->cfg.contact_params.slen,
 			       acc->cfg.contact_params.ptr);
-	if (len < 1) {
+	if (len < 1 || len >= PJSIP_MAX_URL_SIZE) {
 	    PJ_LOG(1,(THIS_FILE, "URI too long"));
 	    pj_pool_release(pool);
 	    return PJ_FALSE;
@@ -3101,7 +3101,8 @@ PJ_DEF(pj_status_t) pjsua_acc_create_uac_contact( pj_pool_t *pool,
 				     (acc->cfg.use_rfc5626? ob: ""),
 				     (int)acc->cfg.contact_params.slen,
 				     acc->cfg.contact_params.ptr);
-
+    if (contact->slen < 1 || contact->slen >= (int)PJSIP_MAX_URL_SIZE)
+	return PJ_ETOOSMALL;
     return PJ_SUCCESS;
 }
 
@@ -3271,6 +3272,8 @@ PJ_DEF(pj_status_t) pjsua_acc_create_uas_contact( pj_pool_t *pool,
 				     acc->cfg.contact_uri_params.ptr,
 				     (int)acc->cfg.contact_params.slen,
 				     acc->cfg.contact_params.ptr);
+    if (contact->slen < 1 || contact->slen >= (int)PJSIP_MAX_URL_SIZE)
+	return PJ_ETOOSMALL;
 
     return PJ_SUCCESS;
 }
diff --git a/pjsip/src/pjsua-lib/pjsua_aud.c b/pjsip/src/pjsua-lib/pjsua_aud.c
index d81ac9ab..e15c54aa 100644
--- a/pjsip/src/pjsua-lib/pjsua_aud.c
+++ b/pjsip/src/pjsua-lib/pjsua_aud.c
@@ -1759,12 +1759,14 @@ static pj_status_t open_snd_dev(pjmedia_snd_port_param *param)
 	if (status==PJ_SUCCESS) {
 	    if (param->base.clock_rate != pjsua_var.media_cfg.clock_rate) {
 		char tmp_buf[128];
-		int tmp_buf_len = sizeof(tmp_buf);
+		int tmp_buf_len;
 
-		tmp_buf_len = pj_ansi_snprintf(tmp_buf, sizeof(tmp_buf)-1,
+		tmp_buf_len = pj_ansi_snprintf(tmp_buf, sizeof(tmp_buf),
 					       "%s (%dKHz)",
 					       rec_info.name,
 					       param->base.clock_rate/1000);
+		if (tmp_buf_len < 1 || tmp_buf_len >= (int)sizeof(tmp_buf))
+		    tmp_buf_len = sizeof(tmp_buf) - 1;
 		pj_strset(&tmp, tmp_buf, tmp_buf_len);
 		pjmedia_conf_set_port0_name(pjsua_var.mconf, &tmp);
 	    } else {
diff --git a/pjsip/src/pjsua-lib/pjsua_dump.c b/pjsip/src/pjsua-lib/pjsua_dump.c
index 2f8ef73c..8fbe8c49 100644
--- a/pjsip/src/pjsua-lib/pjsua_dump.c
+++ b/pjsip/src/pjsua-lib/pjsua_dump.c
@@ -128,7 +128,7 @@ static unsigned dump_media_stat(const char *indent,
 	   ""
 	   );
 
-    if (len < 1 || len > end-p) {
+    if (len < 1 || len >= end-p) {
 	*p = '\0';
 	return (unsigned)(p-buf);
     }
@@ -186,7 +186,7 @@ static unsigned dump_media_stat(const char *indent,
 	   pj_math_stat_get_stddev(&stat->tx.jitter) / 1000.0
 	   );
 
-    if (len < 1 || len > end-p) {
+    if (len < 1 || len >= end-p) {
 	*p = '\0';
 	return (unsigned)(p-buf);
     }
@@ -201,7 +201,7 @@ static unsigned dump_media_stat(const char *indent,
 	   stat->rtt.last / 1000.0,
 	   pj_math_stat_get_stddev(&stat->rtt) / 1000.0
 	   );
-    if (len < 1 || len > end-p) {
+    if (len < 1 || len >= end-p) {
 	*p = '\0';
 	return (unsigned)(p-buf);
     }
@@ -259,7 +259,7 @@ static void dump_media_session(const char *indent,
 	    len = pj_ansi_snprintf(p, end-p,
 		      "%s  #%d %s deactivated\n",
 		      indent, i, media_type_str);
-	    if (len < 1 || len > end-p) {
+	    if (len < 1 || len >= end-p) {
 		*p = '\0';
 		return;
 	    }
@@ -363,7 +363,7 @@ static void dump_media_session(const char *indent,
 		  codec_info,
 		  dir_str,
 		  rem_addr);
-	if (len < 1 || len > end-p) {
+	if (len < 1 || len >= end-p) {
 	    *p = '\0';
 	    return;
 	}
@@ -470,7 +470,7 @@ static void dump_media_session(const char *indent,
 	    sprintf(s, "%d", v)
 
 #   define VALIDATE_PRINT_BUF() \
-	if (len < 1 || len > end-p) { *p = '\0'; return; } \
+	if (len < 1 || len >= end-p) { *p = '\0'; return; } \
 	p += len; *p++ = '\n'; *p = '\0'