From e033ae190e67674064a2e089874b5a4185f8a654 Mon Sep 17 00:00:00 2001 From: Lars-Dominik Braun Date: Sat, 28 Nov 2009 12:07:28 +0100 Subject: piano: Fix NULL pointer dereference --- libpiano/src/http.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'libpiano') diff --git a/libpiano/src/http.c b/libpiano/src/http.c index 98b5e11..4af5ccc 100644 --- a/libpiano/src/http.c +++ b/libpiano/src/http.c @@ -51,7 +51,8 @@ PianoReturn_t PianoHttpPost (WaitressHandle_t *waith, const char *postData, waith->postData = reqPostData; waith->method = WAITRESS_METHOD_POST; - if (WaitressFetchBuf (waith, retData) == WAITRESS_RET_OK) { + if (WaitressFetchBuf (waith, retData) == WAITRESS_RET_OK && + *retData != NULL) { pRet = PIANO_RET_OK; } @@ -71,7 +72,8 @@ PianoReturn_t PianoHttpGet (WaitressHandle_t *waith, char **retData) { waith->postData = NULL; waith->method = WAITRESS_METHOD_GET; - if (WaitressFetchBuf (waith, retData) == WAITRESS_RET_OK) { + if (WaitressFetchBuf (waith, retData) == WAITRESS_RET_OK && + *retData != NULL) { return PIANO_RET_OK; } return PIANO_RET_NET_ERROR; -- cgit v1.2.3 From 7dff801f34a76dd7950fc1751ce5ee2978e9b32d Mon Sep 17 00:00:00 2001 From: Lars-Dominik Braun Date: Sat, 28 Nov 2009 12:23:45 +0100 Subject: piano: Don't decrypt too short urls Avoids invalid memory reads/writes --- libpiano/src/xml.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'libpiano') diff --git a/libpiano/src/xml.c b/libpiano/src/xml.c index 8e8fb2a..185002d 100644 --- a/libpiano/src/xml.c +++ b/libpiano/src/xml.c @@ -240,7 +240,10 @@ static void PianoXmlParsePlaylistCb (const char *key, const ezxml_t value, char *urlTail = NULL, *urlTailCrypted = &valueStr[valueStrN - urlTailN]; - if ((urlTail = PianoDecryptString (urlTailCrypted)) != NULL) { + /* don't try to decrypt if string is too short (=> invalid memory + * reads/writes) */ + if (valueStrN > urlTailN && + (urlTail = PianoDecryptString (urlTailCrypted)) != NULL) { if ((song->audioUrl = calloc (valueStrN + 1, sizeof (*song->audioUrl))) != NULL) { memcpy (song->audioUrl, valueStr, valueStrN - urlTailN); -- cgit v1.2.3