Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 87220 Details for
Bug 133988
media-sound/mpg123-0.59s-r9 heap overflow
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
103_all_CAN-2004-0982-NEW.patch
103_all_CAN-2004-0982-NEW.patch (text/plain), 7.17 KB, created by
Horst Schirmeier
on 2006-05-21 18:02:36 UTC
(
hide
)
Description:
103_all_CAN-2004-0982-NEW.patch
Filename:
MIME Type:
Creator:
Horst Schirmeier
Created:
2006-05-21 18:02:36 UTC
Size:
7.17 KB
patch
obsolete
>--- mpg123-orig/httpget.c 2000-10-30 18:45:12.000000000 +0100 >+++ mpg123-myfix/httpget.c 2006-05-22 02:45:59.000000000 +0200 >@@ -3,6 +3,11 @@ > * > * Oliver Fromme <oliver.fromme@heim3.tu-clausthal.de> > * Wed Apr 9 20:57:47 MET DST 1997 >+ * >+ * Modified by Jeremy Huddleston <eradicator@gentoo.org> 2004.10.21 per >+ * http://bugs.gentoo.org/show_bug.cgi?id=68343 >+ * http://www.barrossecurity.com/advisories/mpg123_getauthfromurl_bof_advisory.txt >+ * > */ > > #undef ALSA >@@ -221,12 +226,12 @@ unsigned char *proxyport; > #define ACCEPT_HEAD "Accept: audio/mpeg, audio/x-mpegurl, */*\r\n" > > char *httpauth = NULL; >-char httpauth1[256]; >+char *httpauth1 = NULL; > > int http_open (char *url) > { > char *purl, *host, *request, *sptr; >- int linelength; >+ unsigned int linelength, linelengthbase, purl_length; > unsigned long myip; > unsigned char *myport; > int sock; >@@ -270,53 +275,80 @@ int http_open (char *url) > exit(1); > } > >- >- if ((linelength = strlen(url)+200) < 1024) >- linelength = 1024; >- if (!(request = malloc(linelength)) || !(purl = malloc(1024))) { >+ /* >+ * The length of purl is upper bound by 3*strlen(url) + 1 if everything >+ * in it is a space. For HTTP redirections, we need something longer; >+ * 1024 bytes were arbitrarily chosen. >+ */ >+ purl_length = strlen(url) * 3 + 1; >+ if (purl_length < 1024) purl_length = 1024; >+ purl = (char *)malloc(sizeof(char) * purl_length); >+ if (!purl) { > fprintf (stderr, "malloc() failed, out of memory.\n"); > exit (1); > } >- /* >- * 2000-10-21: >- * We would like spaces to be automatically converted to %20's when >- * fetching via HTTP. >- * -- Martin Sjögren <md9ms@mdstud.chalmers.se> >- */ >- if ((sptr = strchr(url, ' ')) == NULL) { >- strncpy (purl, url, 1023); >- purl[1023] = '\0'; >- } >- else { >- int purllength = 0; >- char *urlptr = url; >- purl[0] = '\0'; >- do { >- purllength += sptr-urlptr + 3; >- if (purllength >= 1023) >- break; >- strncat (purl, urlptr, sptr-urlptr); >- //purl[sptr-url] = '\0'; >- strcat (purl, "%20"); >- urlptr = sptr + 1; >- } >- while ((sptr = strchr (urlptr, ' ')) != NULL); >- strcat (purl, urlptr); >- } > >+ /* >+ * 2000-10-21: >+ * We would like spaces to be automatically converted to %20's when >+ * fetching via HTTP. >+ * -- Martin Sjögren <md9ms@mdstud.chalmers.se> >+ */ >+ if ((sptr = strchr(url, ' ')) == NULL) { >+ strcpy (purl, url); >+ } else { >+ char *urlptr = url; >+ purl[0] = '\0'; >+ do { >+ strncat (purl, urlptr, sptr - urlptr); >+ strcat (purl, "%20"); >+ urlptr = sptr + 1; >+ } >+ while ((sptr = strchr (urlptr, ' ')) != NULL); >+ strcat (purl, urlptr); >+ } >+ >+ httpauth1 = (char *)malloc((strlen(purl) + 1) * sizeof(char)); >+ if(!httpauth1) { >+ fprintf(stderr, "malloc() failed, out of memory.\n"); >+ exit(1); >+ } >+ getauthfromURL(purl,httpauth1); >+ >+ /* "GET http://" + 11 >+ * " HTTP/1.0\r\nUser-Agent: <prgName>/<prgVersion>\r\n" 26 + prgName + prgVersion >+ * ACCEPT_HEAD strlen(ACCEPT_HEAD) >+ * "Authorization: Basic \r\n" 23 >+ * "\r\n" 2 >+ */ >+ linelengthbase = 62 + strlen(prgName) + strlen(prgVersion) + strlen(ACCEPT_HEAD); >+ >+ if(httpauth) >+ linelengthbase += (strlen(httpauth) + 1) * 4; > >- getauthfromURL(purl,httpauth1); >+ if(httpauth1) >+ linelengthbase += (strlen(httpauth1) + 1) * 4; > > do { >- strcpy (request, "GET "); > if (proxyip != INADDR_NONE) { >- if (strncasecmp(url, "http://", 7) != 0 && strncasecmp(url,"ftp://", 6) != 0) >- strcat (request, "http://"); >- strcat (request, purl); > myport = proxyport; > myip = proxyip; >- } >- else { >+ >+ linelength = linelengthbase + strlen(purl); >+ if(host) >+ linelength += 9 + strlen(host) + strlen(myport); /* "Host: <host>:<port>\r\n" */ >+ >+ request = (char *)malloc((linelength + 1) * sizeof(char)); >+ if (!request) { >+ fprintf (stderr, "malloc() failed, out of memory.\n"); >+ exit (1); >+ } >+ >+ strcpy (request, "GET "); >+ if (strncasecmp(url, "http://", 7) != 0 && strncasecmp(url,"ftp://", 6) != 0) >+ strcat (request, "http://"); >+ strcat (request, purl); >+ } else { > if (host) { > free(host); > host=NULL; >@@ -325,19 +357,30 @@ int http_open (char *url) > free(proxyport); > proxyport=NULL; > } >- if (!(sptr = url2hostport(purl, &host, &myip, &myport))) { >- fprintf (stderr, "Unknown host \"%s\".\n", >- host ? host : ""); >+ >+ sptr = url2hostport(purl, &host, &myip, &myport); >+ if (!sptr) { >+ fprintf (stderr, "Unknown host \"%s\".\n", host ? host : ""); >+ exit (1); >+ } >+ >+ linelength = linelengthbase + strlen(sptr); >+ if(host) >+ linelength += 9 + strlen(host) + strlen(myport); /* "Host: <host>:<port>\r\n" */ >+ >+ request = (char *)malloc((linelength + 1) * sizeof(char)); >+ if (!request) { >+ fprintf (stderr, "malloc() failed, out of memory.\n"); > exit (1); > } >+ >+ strcpy (request, "GET "); > strcat (request, sptr); > } >- sprintf (request + strlen(request), >- " HTTP/1.0\r\nUser-Agent: %s/%s\r\n", >- prgName, prgVersion); >+ >+ sprintf (request + strlen(request), " HTTP/1.0\r\nUser-Agent: %s/%s\r\n", prgName, prgVersion); > if (host) { >- sprintf(request + strlen(request), >- "Host: %s:%s\r\n", host, myport); >+ sprintf(request + strlen(request), "Host: %s:%s\r\n", host, myport); > #if 0 > free (host); > #endif >@@ -394,15 +437,29 @@ fail: > exit(1); > } > >- if (strlen(httpauth1) || httpauth) { >- char buf[1023]; >+ if (httpauth1 || httpauth) { >+ char *buf; > strcat (request,"Authorization: Basic "); >- if(strlen(httpauth1)) >- encode64(httpauth1,buf); >- else >- encode64(httpauth,buf); >- strcat (request,buf); >+ if(httpauth1) { >+ buf=(char *)malloc((strlen(httpauth1) + 1) * 4 * sizeof(char)); >+ if(!buf) { >+ fprintf(stderr, "Error allocating sufficient memory for http authentication. Exiting."); >+ exit(1); >+ } >+ encode64(httpauth1,buf); >+ free(httpauth1); >+ } else { >+ buf=(char *)malloc((strlen(httpauth) + 1) * 4 * sizeof(char)); >+ if(!buf) { >+ fprintf(stderr, "Error allocating sufficient memory for http authentication. Exiting."); >+ exit(1); >+ } >+ encode64(httpauth,buf); >+ } >+ >+ strcat (request, buf); > strcat (request,"\r\n"); >+ free(buf); > } > strcat (request, "\r\n"); > >@@ -428,16 +485,19 @@ fail: > } > do { > readstring (request, linelength-1, myfile); >- if (!strncmp(request, "Location:", 9)) >- strncpy (purl, request+10, 1023); >+ if (!strncmp(request, "Location:", 9)) { >+ strncpy (purl, request+10, purl_length); >+ purl[purl_length - 1] = 0; >+ } > } while (request[0] != '\r' && request[0] != '\n'); >+ >+ free(request); > } while (relocate && purl[0] && numrelocs++ < 5); > if (relocate) { > fprintf (stderr, "Too many HTTP relocations.\n"); > exit (1); > } >- free (purl); >- free (request); >+ free(purl); > free(host); > free(proxyport); > free(myport);
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 133988
: 87220 |
87221