[vlc-commits] upnp: Use UpnpResolveURL2 API instead of UpnpResolveURL

[Will Newton]

vlc | branch: master | Will Newton <will.new...@gmail.com> | Tue Feb 12 
16:33:17 2019 +0000| [18a463930511f908733e95906abbeb43430ee09d] | committer: 
Hugo Beauzée-Luyssen

upnp: Use UpnpResolveURL2 API instead of UpnpResolveURL

The UpnpResolveURL APi is very hard to use correctly and can
result in buffer overflow issues. Use the UpnpResolveURL2 API
instead and fix two small buffer overflows.

https://hackerone.com/reports/494841

Signed-off-by: Will Newton <will.new...@gmail.com>
Signed-off-by: Hugo Beauzée-Luyssen <h...@beauzee.fr>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=18a463930511f908733e95906abbeb43430ee09d
---

 modules/services_discovery/upnp.cpp | 27 +++++++++++----------------
 modules/stream_out/dlna/dlna.cpp    |  4 ++--
 2 files changed, 13 insertions(+), 18 deletions(-)

diff --git a/modules/services_discovery/upnp.cpp 
b/modules/services_discovery/upnp.cpp
index 9aa62d96d4..a467caaaa8 100644
--- a/modules/services_discovery/upnp.cpp
+++ b/modules/services_discovery/upnp.cpp
@@ -566,25 +566,20 @@ void MediaServerList::parseNewServer( IXML_Document *doc, 
const std::string &loc
             }
 
             /* Try to browse content directory. */
-            char* psz_url = ( char* ) malloc( strlen( psz_base_url ) + strlen( 
psz_control_url ) + 1 );
-            if ( psz_url )
+            char* psz_url = NULL;
+            if ( UpnpResolveURL2( psz_base_url, psz_control_url, &psz_url ) == 
UPNP_E_SUCCESS )
             {
-                if ( UpnpResolveURL( psz_base_url, psz_control_url, psz_url ) 
== UPNP_E_SUCCESS )
+                SD::MediaServerDesc* p_server = new(std::nothrow) 
SD::MediaServerDesc( psz_udn,
+                    psz_friendly_name, psz_url, iconUrl );
+                free( psz_url );
+                if ( unlikely( !p_server ) )
+                    break;
+
+                if ( !addServer( p_server ) )
                 {
-                    SD::MediaServerDesc* p_server = new(std::nothrow) 
SD::MediaServerDesc( psz_udn,
-                            psz_friendly_name, psz_url, iconUrl );
-                    free( psz_url );
-                    if ( unlikely( !p_server ) )
-                        break;
-
-                    if ( !addServer( p_server ) )
-                    {
-                        delete p_server;
-                        continue;
-                    }
+                    delete p_server;
+                    continue;
                 }
-                else
-                    free( psz_url );
             }
         }
         ixmlNodeList_free( p_service_list );
diff --git a/modules/stream_out/dlna/dlna.cpp b/modules/stream_out/dlna/dlna.cpp
index da966442f5..44fcef90ec 100644
--- a/modules/stream_out/dlna/dlna.cpp
+++ b/modules/stream_out/dlna/dlna.cpp
@@ -519,8 +519,8 @@ char *MediaRenderer::getServiceURL(const char* type, const 
char *service)
             if ( !psz_control_url )
                 continue;
 
-            char* psz_url = ( char* ) malloc( base_url.length() + strlen( 
psz_control_url ) + 1 );
-            if ( psz_url && UpnpResolveURL( base_url.c_str(), psz_control_url, 
psz_url ) == UPNP_E_SUCCESS )
+            char* psz_url = NULL;
+            if ( UpnpResolveURL2( base_url.c_str(), psz_control_url, &psz_url 
) == UPNP_E_SUCCESS )
                 return psz_url;
             return nullptr;
         }

_______________________________________________
vlc-commits mailing list
vlc-commits@videolan.org
https://mailman.videolan.org/listinfo/vlc-commits