From 7369d96f8361c523a7ae4753391a9a7336a89fb8 Mon Sep 17 00:00:00 2001
From: Benny Prijono <bennylp@teluu.com>
Date: Tue, 8 Oct 2013 09:08:13 +0000
Subject: Re #1703: fixing general bugs. First installment: correct handling of
 snprintf return value

git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@4613 74dad513-b988-da41-8d7b-12977e46ad98
---
 pjmedia/src/pjmedia-audiodev/alsa_dev.c | 29 +++++++++++++++++++++++------
 pjmedia/src/pjmedia-audiodev/errno.c    |  3 ++-
 pjmedia/src/pjmedia-videodev/errno.c    |  3 ++-
 pjmedia/src/pjmedia/endpoint.c          | 10 +++++-----
 pjmedia/src/pjmedia/errno.c             |  3 ++-
 pjmedia/src/pjmedia/ffmpeg_util.c       |  2 ++
 pjmedia/src/pjmedia/sdp.c               |  4 ++--
 pjmedia/src/pjmedia/stream.c            |  2 ++
 pjmedia/src/pjmedia/transport_ice.c     |  4 ++--
 pjmedia/src/pjmedia/transport_srtp.c    |  7 ++++++-
 pjmedia/src/pjmedia/vid_stream.c        |  2 ++
 11 files changed, 50 insertions(+), 19 deletions(-)

(limited to 'pjmedia')

diff --git a/pjmedia/src/pjmedia-audiodev/alsa_dev.c b/pjmedia/src/pjmedia-audiodev/alsa_dev.c
index efda3190..997b5894 100644
--- a/pjmedia/src/pjmedia-audiodev/alsa_dev.c
+++ b/pjmedia/src/pjmedia-audiodev/alsa_dev.c
@@ -171,7 +171,7 @@ static void alsa_error_handler (const char *file,
 				...)
 {
     char err_msg[128];
-    int index;
+    int index, len;
     va_list arg;
 
 #ifndef NDEBUG
@@ -180,13 +180,30 @@ static void alsa_error_handler (const char *file,
 #else
     index = snprintf (err_msg, sizeof(err_msg), "ALSA lib: ");
 #endif
+    if (index < 1 || index >= (int)sizeof(err_msg)) {
+	index = sizeof(err_msg)-1;
+	err_msg[index] = '\0';
+	goto print_msg;
+    }
+
     va_start (arg, fmt);
-    if (index < sizeof(err_msg)-1)
-	index += vsnprintf (err_msg+index, sizeof(err_msg)-index, fmt, arg);
+    if (index < sizeof(err_msg)-1) {
+	len = vsnprintf( err_msg+index, sizeof(err_msg)-index, fmt, arg);
+	if (len < 1 || len >= (int)sizeof(err_msg)-index)
+	    len = sizeof(err_msg)-index-1;
+	index += len;
+	err_msg[index] = '\0';
+    }
     va_end(arg);
-    if (err && index < sizeof(err_msg)-1)
-	index += snprintf (err_msg+index, sizeof(err_msg)-index, ": %s",
-			   snd_strerror(err));
+    if (err && index < sizeof(err_msg)-1) {
+	len = snprintf( err_msg+index, sizeof(err_msg)-index, ": %s",
+			snd_strerror(err));
+	if (len < 1 || len >= (int)sizeof(err_msg)-index)
+	    len = sizeof(err_msg)-index-1;
+	index += len;
+	err_msg[index] = '\0';
+    }
+print_msg:
     PJ_LOG (4,(THIS_FILE, "%s", err_msg));
 }
 
diff --git a/pjmedia/src/pjmedia-audiodev/errno.c b/pjmedia/src/pjmedia-audiodev/errno.c
index a928485a..f22ee2ea 100644
--- a/pjmedia/src/pjmedia-audiodev/errno.c
+++ b/pjmedia/src/pjmedia-audiodev/errno.c
@@ -214,7 +214,8 @@ PJ_DEF(pj_str_t) pjmedia_audiodev_strerror(pj_status_t statcode,
     errstr.slen = pj_ansi_snprintf(buf, bufsize, 
 				   "Unknown pjmedia-audiodev error %d",
 				   statcode);
-
+    if (errstr.slen < 1 || errstr.slen >= (pj_ssize_t)bufsize)
+	errstr.slen = bufsize - 1;
     return errstr;
 }
 
diff --git a/pjmedia/src/pjmedia-videodev/errno.c b/pjmedia/src/pjmedia-videodev/errno.c
index d6c0da24..ee5197a4 100644
--- a/pjmedia/src/pjmedia-videodev/errno.c
+++ b/pjmedia/src/pjmedia-videodev/errno.c
@@ -111,7 +111,8 @@ PJ_DEF(pj_str_t) pjmedia_videodev_strerror(pj_status_t statcode,
     errstr.slen = pj_ansi_snprintf(buf, bufsize,
 				   "Unknown pjmedia-videodev error %d",
 				   statcode);
-
+    if (errstr.slen < 1 || errstr.slen >= (pj_ssize_t)bufsize)
+	errstr.slen = bufsize - 1;
     return errstr;
 }
 
diff --git a/pjmedia/src/pjmedia/endpoint.c b/pjmedia/src/pjmedia/endpoint.c
index 1a9d2eb6..6abc680d 100644
--- a/pjmedia/src/pjmedia/endpoint.c
+++ b/pjmedia/src/pjmedia/endpoint.c
@@ -490,9 +490,9 @@ PJ_DEF(pj_status_t) pjmedia_endpt_create_audio_sdp(pjmedia_endpt *endpt,
 	    pjmedia_codec_fmtp *dec_fmtp = &codec_param.setting.dec_fmtp;
 
 	    /* Print codec PT */
-	    buf_len += pj_ansi_snprintf(buf, 
-					MAX_FMTP_STR_LEN - buf_len, 
-					"%d", 
+	    buf_len += pj_ansi_snprintf(buf,
+					MAX_FMTP_STR_LEN - buf_len,
+					"%d",
 					codec_info->pt);
 
 	    for (i = 0; i < dec_fmtp->cnt; ++i) {
@@ -500,7 +500,7 @@ PJ_DEF(pj_status_t) pjmedia_endpt_create_audio_sdp(pjmedia_endpt *endpt,
 
 		/* Check if buf still available */
 		test_len = dec_fmtp->param[i].val.slen + 
-			   dec_fmtp->param[i].name.slen;
+			   dec_fmtp->param[i].name.slen + 2;
 		if (test_len + buf_len >= MAX_FMTP_STR_LEN)
 		    return PJ_ETOOBIG;
 
@@ -686,7 +686,7 @@ PJ_DEF(pj_status_t) pjmedia_endpt_create_video_sdp(pjmedia_endpt *endpt,
 
 		/* Check if buf still available */
 		test_len = dec_fmtp->param[j].val.slen + 
-			   dec_fmtp->param[j].name.slen;
+			   dec_fmtp->param[j].name.slen + 2;
 		if (test_len + buf_len >= MAX_FMTP_STR_LEN)
 		    return PJ_ETOOBIG;
 
diff --git a/pjmedia/src/pjmedia/errno.c b/pjmedia/src/pjmedia/errno.c
index 7a8538eb..a4584739 100644
--- a/pjmedia/src/pjmedia/errno.c
+++ b/pjmedia/src/pjmedia/errno.c
@@ -266,7 +266,8 @@ PJ_DEF(pj_str_t) pjmedia_strerror( pj_status_t statcode,
     errstr.slen = pj_ansi_snprintf(buf, bufsize, 
 				   "Unknown pjmedia error %d",
 				   statcode);
-
+    if (errstr.slen < 1 || errstr.slen >= (pj_ssize_t)bufsize)
+	errstr.slen = bufsize - 1;
     return errstr;
 }
 
diff --git a/pjmedia/src/pjmedia/ffmpeg_util.c b/pjmedia/src/pjmedia/ffmpeg_util.c
index 4698191f..da2d5a19 100644
--- a/pjmedia/src/pjmedia/ffmpeg_util.c
+++ b/pjmedia/src/pjmedia/ffmpeg_util.c
@@ -114,6 +114,8 @@ static void ffmpeg_log_cb(void* ptr, int level, const char* fmt, va_list vl)
     if (ptr) {
 	AVClass* avc = *(AVClass**)ptr;
 	len = pj_ansi_snprintf(buf, bufsize, "%s: ", avc->item_name(ptr));
+	if (len < 1 || len >= bufsize)
+	    len = bufsize - 1;
 	bufsize -= len;
     }
 
diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c
index 4155f6a4..5451ed35 100644
--- a/pjmedia/src/pjmedia/sdp.c
+++ b/pjmedia/src/pjmedia/sdp.c
@@ -503,7 +503,7 @@ PJ_DEF(pj_status_t) pjmedia_sdp_rtpmap_to_attr(pj_pool_t *pool,
 			   (int)rtpmap->param.slen,
 			   rtpmap->param.ptr);
 
-    if (len < 1 || len > (int)sizeof(tempbuf))
+    if (len < 1 || len >= (int)sizeof(tempbuf))
 	return PJMEDIA_SDP_ERTPMAPTOOLONG;
 
     attr->value.slen = len;
@@ -526,7 +526,7 @@ static int print_connection_info( pjmedia_sdp_conn *c, char *buf, int len)
 			       c->addr_type.ptr,
 			       (int)c->addr.slen,
 			       c->addr.ptr);
-    if (printed < 1 || printed > len)
+    if (printed < 1 || printed >= len)
 	return -1;
 
     return printed;
diff --git a/pjmedia/src/pjmedia/stream.c b/pjmedia/src/pjmedia/stream.c
index 9a8bde3f..d051dc43 100644
--- a/pjmedia/src/pjmedia/stream.c
+++ b/pjmedia/src/pjmedia/stream.c
@@ -2411,6 +2411,8 @@ PJ_DEF(pj_status_t) pjmedia_stream_create( pjmedia_endpt *endpt,
 				   "Time, Operation, Size, Frame Count, "
 				   "Frame type, RTP Seq, RTP TS, RTP M, "
 				   "JB size, JB burst level, JB prefetch\n");
+	    if (len < 1 || len >= PJ_LOG_MAX_SIZE)
+		len = PJ_LOG_MAX_SIZE-1;
 	    pj_file_write(stream->trace_jb_fd, stream->trace_jb_buf, &len);
 	    pj_file_flush(stream->trace_jb_fd);
 	}
diff --git a/pjmedia/src/pjmedia/transport_ice.c b/pjmedia/src/pjmedia/transport_ice.c
index 9ce9a333..b6009260 100644
--- a/pjmedia/src/pjmedia/transport_ice.c
+++ b/pjmedia/src/pjmedia/transport_ice.c
@@ -349,7 +349,7 @@ static int print_sdp_cand_attr(char *buffer, int max_len,
 	len2 = -1;
 	break;
     }
-    if (len2 < 1 || len2 >= max_len)
+    if (len2 < 1 || len2 >= max_len-len)
 	return -1;
 
     return len+len2;
@@ -545,7 +545,7 @@ static pj_status_t encode_session_in_sdp(struct transport_ice *tp_ice,
 			   comp+1, rem_addr,
 			   pj_sockaddr_get_port(&check->rcand->addr)
 			   );
-		if (len < 1 || len >= RATTR_BUF_LEN) {
+		if (len < 1 || len >= RATTR_BUF_LEN - rem_cand.slen) {
 		    pj_assert(!"Not enough buffer to print "
 			       "remote-candidates");
 		    return PJ_EBUG;
diff --git a/pjmedia/src/pjmedia/transport_srtp.c b/pjmedia/src/pjmedia/transport_srtp.c
index 176b2d42..85b43282 100644
--- a/pjmedia/src/pjmedia/transport_srtp.c
+++ b/pjmedia/src/pjmedia/transport_srtp.c
@@ -1043,6 +1043,7 @@ static pj_status_t generate_crypto_attr_value(pj_pool_t *pool,
     int cs_idx = get_crypto_idx(&crypto->name);
     char b64_key[PJ_BASE256_TO_BASE64_LEN(MAX_KEY_LEN)+1];
     int b64_key_len = sizeof(b64_key);
+    int print_len;
 
     if (cs_idx == -1)
 	return PJMEDIA_SRTP_ENOTSUPCRYPTO;
@@ -1101,10 +1102,14 @@ static pj_status_t generate_crypto_attr_value(pj_pool_t *pool,
 		     b64_key_len + 16), PJ_ETOOSMALL);
 
     /* Print the crypto attribute value. */
-    *buffer_len = pj_ansi_snprintf(buffer, *buffer_len, "%d %s inline:%s",
+    print_len = pj_ansi_snprintf(buffer, *buffer_len, "%d %s inline:%s",
 				   tag, 
 				   crypto_suites[cs_idx].name,
 				   b64_key);
+    if (print_len < 1 || print_len >= *buffer_len)
+	return PJ_ETOOSMALL;
+
+    *buffer_len = print_len;
 
     return PJ_SUCCESS;
 }
diff --git a/pjmedia/src/pjmedia/vid_stream.c b/pjmedia/src/pjmedia/vid_stream.c
index 4b84b8bc..b6cc36dc 100644
--- a/pjmedia/src/pjmedia/vid_stream.c
+++ b/pjmedia/src/pjmedia/vid_stream.c
@@ -1650,6 +1650,8 @@ PJ_DEF(pj_status_t) pjmedia_vid_stream_create(
 				   "Time, Operation, Size, Frame Count, "
 				   "Frame type, RTP Seq, RTP TS, RTP M, "
 				   "JB size, JB burst level, JB prefetch\n");
+	    if (len < 1 || len >= PJ_LOG_MAX_SIZE)
+		len = PJ_LOG_MAX_SIZE - 1;
 	    pj_file_write(stream->trace_jb_fd, stream->trace_jb_buf, &len);
 	    pj_file_flush(stream->trace_jb_fd);
 	}
-- 
cgit v1.2.3