From e033ae190e67674064a2e089874b5a4185f8a654 Mon Sep 17 00:00:00 2001
From: Lars-Dominik Braun <PromyLOPh@lavabit.com>
Date: Sat, 28 Nov 2009 12:07:28 +0100
Subject: piano: Fix NULL pointer dereference

---
 libpiano/src/http.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libpiano/src/http.c b/libpiano/src/http.c
index 98b5e11..4af5ccc 100644
--- a/libpiano/src/http.c
+++ b/libpiano/src/http.c
@@ -51,7 +51,8 @@ PianoReturn_t PianoHttpPost (WaitressHandle_t *waith, const char *postData,
 	waith->postData = reqPostData;
 	waith->method = WAITRESS_METHOD_POST;
 
-	if (WaitressFetchBuf (waith, retData) == WAITRESS_RET_OK) {
+	if (WaitressFetchBuf (waith, retData) == WAITRESS_RET_OK &&
+			*retData != NULL) {
 		pRet = PIANO_RET_OK;
 	}
 
@@ -71,7 +72,8 @@ PianoReturn_t PianoHttpGet (WaitressHandle_t *waith, char **retData) {
 	waith->postData = NULL;
 	waith->method = WAITRESS_METHOD_GET;
 
-	if (WaitressFetchBuf (waith, retData) == WAITRESS_RET_OK) {
+	if (WaitressFetchBuf (waith, retData) == WAITRESS_RET_OK &&
+			*retData != NULL) {
 		return PIANO_RET_OK;
 	}
 	return PIANO_RET_NET_ERROR;
-- 
cgit v1.2.3


From 7dff801f34a76dd7950fc1751ce5ee2978e9b32d Mon Sep 17 00:00:00 2001
From: Lars-Dominik Braun <PromyLOPh@lavabit.com>
Date: Sat, 28 Nov 2009 12:23:45 +0100
Subject: piano: Don't decrypt too short urls

Avoids invalid memory reads/writes
---
 libpiano/src/xml.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libpiano/src/xml.c b/libpiano/src/xml.c
index 8e8fb2a..185002d 100644
--- a/libpiano/src/xml.c
+++ b/libpiano/src/xml.c
@@ -240,7 +240,10 @@ static void PianoXmlParsePlaylistCb (const char *key, const ezxml_t value,
 		char *urlTail = NULL,
 				*urlTailCrypted = &valueStr[valueStrN - urlTailN];
 
-		if ((urlTail = PianoDecryptString (urlTailCrypted)) != NULL) {
+		/* don't try to decrypt if string is too short (=> invalid memory
+		 * reads/writes) */
+		if (valueStrN > urlTailN &&
+				(urlTail = PianoDecryptString (urlTailCrypted)) != NULL) {
 			if ((song->audioUrl = calloc (valueStrN + 1,
 					sizeof (*song->audioUrl))) != NULL) {
 				memcpy (song->audioUrl, valueStr, valueStrN - urlTailN);
-- 
cgit v1.2.3


From e51da0e0fb8c55cb874d87dafc7eec93bee6beb3 Mon Sep 17 00:00:00 2001
From: Lars-Dominik Braun <PromyLOPh@lavabit.com>
Date: Sat, 28 Nov 2009 12:24:44 +0100
Subject: Fix another NULL pointer dereference

---
 src/main.c | 53 +++++++++++++++++++++++++++++------------------------
 1 file changed, 29 insertions(+), 24 deletions(-)

diff --git a/src/main.c b/src/main.c
index 08eac48..190a148 100644
--- a/src/main.c
+++ b/src/main.c
@@ -231,30 +231,35 @@ int main (int argc, char **argv) {
 					BarUiPrintSong (curSong, curStation->isQuickMix ?
 							PianoFindStationById (ph.stations,
 							curSong->stationId) : NULL);
-					/* setup artist and song name for scrobbling (curSong
-					 * may be NULL later) */
-					WardrobeSongInit (&scrobbleSong);
-					scrobbleSong.artist = strdup (curSong->artist);
-					scrobbleSong.title = strdup (curSong->title);
-					scrobbleSong.album = strdup (curSong->album);
-					scrobbleSong.started = time (NULL);
-
-					/* setup player */
-					memset (&player, 0, sizeof (player));
-
-					WaitressInit (&player.waith);
-					WaitressSetUrl (&player.waith, curSong->audioUrl);
-
-					player.gain = curSong->fileGain;
-					player.audioFormat = curSong->audioFormat;
-		
-					/* throw event */
-					BarUiStartEventCmd (&settings, "songstart", curStation,
-							curSong, PIANO_RET_OK);
-
-					/* start player */
-					pthread_create (&playerThread, NULL, BarPlayerThread,
-							&player);
+
+					if (curSong->audioUrl == NULL) {
+						BarUiMsg (MSG_ERR, "Invalid song url\n");
+					} else {
+						/* setup artist and song name for scrobbling (curSong
+						 * may be NULL later) */
+						WardrobeSongInit (&scrobbleSong);
+						scrobbleSong.artist = strdup (curSong->artist);
+						scrobbleSong.title = strdup (curSong->title);
+						scrobbleSong.album = strdup (curSong->album);
+						scrobbleSong.started = time (NULL);
+
+						/* setup player */
+						memset (&player, 0, sizeof (player));
+
+						WaitressInit (&player.waith);
+						WaitressSetUrl (&player.waith, curSong->audioUrl);
+
+						player.gain = curSong->fileGain;
+						player.audioFormat = curSong->audioFormat;
+
+						/* throw event */
+						BarUiStartEventCmd (&settings, "songstart", curStation,
+								curSong, PIANO_RET_OK);
+
+						/* start player */
+						pthread_create (&playerThread, NULL, BarPlayerThread,
+								&player);
+					}
 				}
 			} /* end if curStation != NULL */
 		}
-- 
cgit v1.2.3