Index: librtsp/rtspprot.cpp --- librtsp/rtspprot.cpp.orig +++ librtsp/rtspprot.cpp @@ -15,6 +15,7 @@ #include "app.h" #include "rtspprot.h" +#include "Avl.h" #include "dbg.h" /************************************** @@ -45,6 +46,7 @@ CRtspInterleavedSocket::~CRtspInterleavedSocket( void { Close(); delete m_pbuf; + m_pbuf = NULL; } bool CRtspInterleavedSocket::IsOpen( void ) @@ -56,7 +58,9 @@ void CRtspInterleavedSocket::Close( void ) { if( m_pProt ) { - m_pProt->m_ppSockets[m_chan] = NULL; + // XXX FIX Wenn m_pProt an der Stell eh schon geloescht wurde, ist das + // entfernen der Sockets eigentlichh sinnlos + // m_pProt->m_ppSockets[m_chan] = NULL; m_pProt = NULL; if( m_pResponse ) m_pResponse->OnClosed(); } @@ -68,7 +72,7 @@ size_t CRtspInterleavedSocket::Read( PVOID pbuf, size_ // We will treat the read as a datagram -- copy as much as will fit and // discard any remainder - size_t copylen = min( nLen, m_pbuf->GetSize() ); + size_t copylen = MIN( nLen, m_pbuf->GetSize() ); memcpy( pbuf, m_pbuf->GetBuffer(), copylen ); delete m_pbuf; m_pbuf = NULL; @@ -154,6 +158,9 @@ CRtspProtocol::~CRtspProtocol( void ) delete m_psock; delete[] m_pReadBuf; delete m_pmsg; + m_psock = NULL; + m_pReadBuf = NULL; + m_pmsg = NULL; } void CRtspProtocol::Init( CSocket* pSocket ) @@ -174,7 +181,8 @@ void CRtspProtocol::SendRequest( CRtspRequestMsg* pmsg { char buf[16]; cseq = GetNextCseq(); - sprintf( buf, "%u", cseq ); + size_t n = snprintf( buf, sizeof(buf), "%u", cseq ); + assert( sizeof(buf) >= n ); pmsg->SetHdr( "CSeq", buf ); } else @@ -190,28 +198,62 @@ void CRtspProtocol::SendRequest( CRtspRequestMsg* pmsg // SP SP "RTSP/1.0" CRLF // CRLF size_t len = FUDGE + strlen(pVerb)+1+strlen(pUrl)+1+8 + 2 + nHdrLen + 2 + nBufLen; - char* pbuf = new char[ FUDGE + strlen(pVerb)+1+strlen(pUrl)+1+8 + 2 + - nHdrLen + 2 + nBufLen ]; + size_t bufferLength = FUDGE + strlen(pVerb) + 1 + strlen(pUrl) + 1 + 8 + 2 + nHdrLen + 2 + nBufLen; + char* pbuf = new char[ bufferLength ]; char* p = pbuf; + size_t writtenChars = 0; + size_t leftBufferSpace = bufferLength; if( !pbuf ) { printf( "Out of memory\n" ); exit( -1 ); } - p += sprintf( pbuf, "%s %s RTSP/1.0\r\n", pVerb, pUrl ); + writtenChars = snprintf( pbuf, bufferLength, "%s %s RTSP/1.0\r\n", pVerb, pUrl ); + if ( writtenChars > leftBufferSpace ) + { + printf( "Possible request buffer overflow!\n" ); + exit( -1 ); + } + + leftBufferSpace -= writtenChars; + assert ( leftBufferSpace > 0 ); + p += writtenChars; for( UINT n = 0; n < pmsg->GetHdrCount(); n++ ) { CRtspHdr* pHdr = pmsg->GetHdr( n ); - p += sprintf( p, "%s: %s\r\n", (CPCHAR)pHdr->GetKey(), (CPCHAR)pHdr->GetVal() ); + writtenChars = snprintf( p, leftBufferSpace, "%s: %s\r\n", (CPCHAR)pHdr->GetKey(), (CPCHAR)pHdr->GetVal() ); + if ( writtenChars > leftBufferSpace ) + { + printf( "Possible request buffer overflow!\n" ); + exit( -1 ); + } + + leftBufferSpace -= writtenChars; + assert( leftBufferSpace > 0 ); + p += writtenChars; } - p += sprintf( p, "\r\n" ); + assert( leftBufferSpace >= 3 ); + + if ( leftBufferSpace < 3 ) + { + printf( "Possible request buffer overflow!\n" ); + exit( -1 ); + } + + p += snprintf( p, leftBufferSpace, "\r\n" ); if( nBufLen ) { + assert( leftBufferSpace >= nBufLen ); + if ( leftBufferSpace < nBufLen ) + { + printf( "Possible request buffer overflow!\n" ); + exit( -1 ); + } memcpy( p, pmsg->GetBuf(), nBufLen ); p += nBufLen; } -assert( p-pbuf <= len ); + assert( static_cast( p-pbuf ) <= len ); m_psock->Write( pbuf, p-pbuf ); delete[] pbuf; @@ -232,21 +274,52 @@ void CRtspProtocol::SendResponse( CRtspResponseMsg* pm if( 0 == nBufLen ) nResponseLen++; char* pbuf = new char[ nResponseLen ]; char* p = pbuf; + size_t writtenChars = 0; + size_t leftBufferSpace = nResponseLen; if( !pbuf ) { printf( "Out of memory\n" ); exit( -1 ); } - p += sprintf( pbuf, "RTSP/1.0 %u %s\r\n", nCode, pReason ); + writtenChars = snprintf( pbuf, leftBufferSpace, "RTSP/1.0 %u %s\r\n", nCode, pReason ); + if ( writtenChars > leftBufferSpace ) + { + printf( "Possible request buffer overflow!\n" ); + exit( -1 ); + } + + leftBufferSpace -= writtenChars; + assert( leftBufferSpace > 0 ); + p += writtenChars; for( UINT n = 0; n < pmsg->GetHdrCount(); n++ ) { CRtspHdr* pHdr = pmsg->GetHdr( n ); - p += sprintf( p, "%s: %s\r\n", (CPCHAR)pHdr->GetKey(), (CPCHAR)pHdr->GetVal() ); + writtenChars = snprintf( p, leftBufferSpace, "%s: %s\r\n", (CPCHAR)pHdr->GetKey(), (CPCHAR)pHdr->GetVal() ); + if ( writtenChars > leftBufferSpace ) + { + printf( "Possible request buffer overflow!\n" ); + exit( -1 ); + } + leftBufferSpace -= writtenChars; + assert( leftBufferSpace > 0 ); + p += writtenChars; } - p += sprintf( p, "\r\n" ); + assert( leftBufferSpace >=3 ); + if ( leftBufferSpace < 3 ) + { + printf( "Possible request buffer overflow!\n" ); + exit( -1 ); + } + p += snprintf( p, leftBufferSpace, "\r\n" ); if( nBufLen ) { + assert( leftBufferSpace >= nBufLen ); + if ( leftBufferSpace < nBufLen ) + { + printf( "Possible request buffer overflow!\n" ); + exit( -1 ); + } memcpy( p, pmsg->GetBuf(), nBufLen ); p += nBufLen; } @@ -672,7 +745,7 @@ void CRtspProtocol::OnExceptReady( void ) void CRtspProtocol::OnClosed( void ) { - assert( m_pResponse ); + assert( m_pResponse != NULL ); dbgout( "CRtspProtocol::OnClosed: Socket closed" ); m_pResponse->OnError( RTSPE_CLOSED ); }