From e033ae190e67674064a2e089874b5a4185f8a654 Mon Sep 17 00:00:00 2001
From: Lars-Dominik Braun <PromyLOPh@lavabit.com>
Date: Sat, 28 Nov 2009 12:07:28 +0100
Subject: piano: Fix NULL pointer dereference

---
 libpiano/src/http.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'libpiano')

diff --git a/libpiano/src/http.c b/libpiano/src/http.c
index 98b5e11..4af5ccc 100644
--- a/libpiano/src/http.c
+++ b/libpiano/src/http.c
@@ -51,7 +51,8 @@ PianoReturn_t PianoHttpPost (WaitressHandle_t *waith, const char *postData,
 	waith->postData = reqPostData;
 	waith->method = WAITRESS_METHOD_POST;
 
-	if (WaitressFetchBuf (waith, retData) == WAITRESS_RET_OK) {
+	if (WaitressFetchBuf (waith, retData) == WAITRESS_RET_OK &&
+			*retData != NULL) {
 		pRet = PIANO_RET_OK;
 	}
 
@@ -71,7 +72,8 @@ PianoReturn_t PianoHttpGet (WaitressHandle_t *waith, char **retData) {
 	waith->postData = NULL;
 	waith->method = WAITRESS_METHOD_GET;
 
-	if (WaitressFetchBuf (waith, retData) == WAITRESS_RET_OK) {
+	if (WaitressFetchBuf (waith, retData) == WAITRESS_RET_OK &&
+			*retData != NULL) {
 		return PIANO_RET_OK;
 	}
 	return PIANO_RET_NET_ERROR;
-- 
cgit v1.2.3


From 7dff801f34a76dd7950fc1751ce5ee2978e9b32d Mon Sep 17 00:00:00 2001
From: Lars-Dominik Braun <PromyLOPh@lavabit.com>
Date: Sat, 28 Nov 2009 12:23:45 +0100
Subject: piano: Don't decrypt too short urls

Avoids invalid memory reads/writes
---
 libpiano/src/xml.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'libpiano')

diff --git a/libpiano/src/xml.c b/libpiano/src/xml.c
index 8e8fb2a..185002d 100644
--- a/libpiano/src/xml.c
+++ b/libpiano/src/xml.c
@@ -240,7 +240,10 @@ static void PianoXmlParsePlaylistCb (const char *key, const ezxml_t value,
 		char *urlTail = NULL,
 				*urlTailCrypted = &valueStr[valueStrN - urlTailN];
 
-		if ((urlTail = PianoDecryptString (urlTailCrypted)) != NULL) {
+		/* don't try to decrypt if string is too short (=> invalid memory
+		 * reads/writes) */
+		if (valueStrN > urlTailN &&
+				(urlTail = PianoDecryptString (urlTailCrypted)) != NULL) {
 			if ((song->audioUrl = calloc (valueStrN + 1,
 					sizeof (*song->audioUrl))) != NULL) {
 				memcpy (song->audioUrl, valueStr, valueStrN - urlTailN);
-- 
cgit v1.2.3