From bdbd312c471f1b803b1877371ac5183016f929bf Mon Sep 17 00:00:00 2001 From: Benny Prijono Date: Mon, 9 Nov 2009 05:18:12 +0000 Subject: Ticket #988: Aray bounds checking in SDP functions (thanks Mark Webster for the report) git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@2995 74dad513-b988-da41-8d7b-12977e46ad98 --- pjmedia/include/pjmedia/sdp.h | 12 ++++++++++++ pjmedia/src/pjmedia/sdp.c | 33 ++++++++++++++++++++++++++++----- 2 files changed, 40 insertions(+), 5 deletions(-) (limited to 'pjmedia') diff --git a/pjmedia/include/pjmedia/sdp.h b/pjmedia/include/pjmedia/sdp.h index 4333b5d1..433e3e53 100644 --- a/pjmedia/include/pjmedia/sdp.h +++ b/pjmedia/include/pjmedia/sdp.h @@ -652,6 +652,18 @@ PJ_DECL(pj_status_t) pjmedia_sdp_session_cmp(const pjmedia_sdp_session *sd1, unsigned option); +/** + * Add new attribute to the session descriptor. + * + * @param s The SDP session description. + * @param attr Attribute to add. + * + * @return PJ_SUCCESS or the appropriate error code. + */ +PJ_DECL(pj_status_t) pjmedia_sdp_session_add_attr(pjmedia_sdp_session *m, + pjmedia_sdp_attr *attr); + + PJ_END_DECL /** diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c index 6719a5d3..1fec620f 100644 --- a/pjmedia/src/pjmedia/sdp.c +++ b/pjmedia/src/pjmedia/sdp.c @@ -174,6 +174,7 @@ PJ_DEF(pjmedia_sdp_attr*) pjmedia_sdp_attr_find2(unsigned count, } + PJ_DEF(pj_status_t) pjmedia_sdp_attr_add(unsigned *count, pjmedia_sdp_attr *attr_array[], pjmedia_sdp_attr *attr) @@ -680,6 +681,12 @@ PJ_DEF(pj_status_t) pjmedia_sdp_media_add_attr( pjmedia_sdp_media *m, return pjmedia_sdp_attr_add(&m->attr_count, m->attr, attr); } +PJ_DEF(pj_status_t) pjmedia_sdp_session_add_attr(pjmedia_sdp_session *s, + pjmedia_sdp_attr *attr) +{ + return pjmedia_sdp_attr_add(&s->attr_count, s->attr, attr); +} + PJ_DEF(unsigned) pjmedia_sdp_media_remove_all_attr(pjmedia_sdp_media *m, const char *name) { @@ -978,13 +985,22 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med, /* format list */ med->desc.fmt_count = 0; while (*scanner->curptr == ' ') { + pj_str_t fmt; + pj_scan_get_char(scanner); /* Check again for the end of the line */ if ((*scanner->curptr == '\r') || (*scanner->curptr == '\n')) break; - pj_scan_get(scanner, &cs_token, &med->desc.fmt[med->desc.fmt_count++]); + pj_scan_get(scanner, &cs_token, &fmt); + if (med->desc.fmt_count < PJMEDIA_MAX_SDP_FMT) + med->desc.fmt[med->desc.fmt_count++] = fmt; + else + PJ_PERROR(2,(THIS_FILE, PJ_ETOOMANY, + "Error adding SDP media format %.*s, " + "format is ignored", + (int)fmt.slen, fmt.ptr)); } /* We've got what we're looking for, skip anything until newline */ @@ -1082,9 +1098,9 @@ PJ_DEF(pj_status_t) pjmedia_sdp_parse( pj_pool_t *pool, attr = parse_attr(pool, &scanner, &ctx); if (attr) { if (media) { - media->attr[media->attr_count++] = attr; + pjmedia_sdp_media_add_attr(media, attr); } else { - session->attr[session->attr_count++] = attr; + pjmedia_sdp_session_add_attr(session, attr); } } break; @@ -1109,7 +1125,11 @@ PJ_DEF(pj_status_t) pjmedia_sdp_parse( pj_pool_t *pool, case 'm': media = PJ_POOL_ZALLOC_T(pool, pjmedia_sdp_media); parse_media(&scanner, media, &ctx); - session->media[ session->media_count++ ] = media; + if (session->media_count < PJMEDIA_MAX_SDP_MEDIA) + session->media[ session->media_count++ ] = media; + else + PJ_PERROR(2,(THIS_FILE, PJ_ETOOMANY, + "Error adding media, media is ignored")); break; case 'v': parse_version(&scanner, &ctx); @@ -1352,11 +1372,14 @@ PJ_DEF(pj_status_t) pjmedia_sdp_media_deactivate(pj_pool_t *pool, pjmedia_sdp_attr *attr; static const pj_str_t ID_INACTIVE = { "inactive", 8 }; + if (m->attr_count >= PJMEDIA_MAX_SDP_ATTR) + return PJ_ETOOMANY; + attr = pjmedia_sdp_attr_create(pool, ID_INACTIVE.ptr, NULL); if (NULL == attr) return PJ_ENOMEM; - m->attr[m->attr_count++] = attr; + pjmedia_sdp_media_add_attr(m, attr); m->desc.port = 0; return PJ_SUCCESS; -- cgit v1.2.3