drgreen/android_frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

am b83e8b69: am 292c979a: am d440ca76: am f3a5323c: am 6d8f5b75: libdrm: fix bad strncpy / snprintf calls

Browse Source 
* commit 'b83e8b693b6738ba8e778d556ccdba629d372b52':
  libdrm: fix bad strncpy / snprintf calls
This commit is contained in:
Nick Kralevich
2013-04-29 15:46:21 -07:00
committed by Android Git Automerger
parent 4a22f9a7bb b83e8b693b
commit 4d17834ab3
2 changed files with 43 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
media/libdrm/mobile1/src/parser/parser_dcf.c
View File

@ -58,11 +58,20 @@ int32_t drm_dcfParser(uint8_t *buffer, int32_t bufferLen, T_DRM_DCF_Info *pDcfIn
pDcfInfo->Version = *(tmpBuf++);
if (0x01 != pDcfInfo->Version) /* Because it is OMA DRM v1.0, the vension must be 1 */
return FALSE;
pDcfInfo->ContentTypeLen = *(tmpBuf++);
if (pDcfInfo->ContentTypeLen >= MAX_CONTENT_TYPE_LEN)
return FALSE;
pDcfInfo->ContentURILen = *(tmpBuf++);
if (pDcfInfo->ContentURILen >= MAX_CONTENT_URI_LEN)
return FALSE;
strncpy((char *)pDcfInfo->ContentType, (char *)tmpBuf, pDcfInfo->ContentTypeLen);
pDcfInfo->ContentType[MAX_CONTENT_TYPE_LEN - 1] = 0;
tmpBuf += pDcfInfo->ContentTypeLen;
strncpy((char *)pDcfInfo->ContentURI, (char *)tmpBuf, pDcfInfo->ContentURILen);
pDcfInfo->ContentURI[MAX_CONTENT_URI_LEN - 1] = 0;
tmpBuf += pDcfInfo->ContentURILen;
/* 2. Get the headers length and data length */
@ -86,30 +95,49 @@ int32_t drm_dcfParser(uint8_t *buffer, int32_t bufferLen, T_DRM_DCF_Info *pDcfIn
while ('\r' != *pEnd && pEnd < pData)
pEnd++;
if (0 == strncmp((char *)pStart, HEADER_ENCRYPTION_METHOD, HEADER_ENCRYPTION_METHOD_LEN))
if (0 == strncmp((char *)pStart, HEADER_ENCRYPTION_METHOD, HEADER_ENCRYPTION_METHOD_LEN)) {
if ((pEnd - pStart - HEADER_ENCRYPTION_METHOD_LEN) >= MAX_ENCRYPTION_METHOD_LEN)
return FALSE;
strncpy((char *)pDcfInfo->Encryption_Method,
(char *)(pStart + HEADER_ENCRYPTION_METHOD_LEN),
pEnd - pStart - HEADER_ENCRYPTION_METHOD_LEN);
else if (0 == strncmp((char *)pStart, HEADER_RIGHTS_ISSUER, HEADER_RIGHTS_ISSUER_LEN))
pDcfInfo->Encryption_Method[MAX_ENCRYPTION_METHOD_LEN - 1] = 0;
} else if (0 == strncmp((char *)pStart, HEADER_RIGHTS_ISSUER, HEADER_RIGHTS_ISSUER_LEN)) {
if ((pEnd - pStart - HEADER_RIGHTS_ISSUER_LEN) >= MAX_RIGHTS_ISSUER_LEN)
return FALSE;
strncpy((char *)pDcfInfo->Rights_Issuer,
(char *)(pStart + HEADER_RIGHTS_ISSUER_LEN),
pEnd - pStart - HEADER_RIGHTS_ISSUER_LEN);
else if (0 == strncmp((char *)pStart, HEADER_CONTENT_NAME, HEADER_CONTENT_NAME_LEN))
pDcfInfo->Rights_Issuer[MAX_RIGHTS_ISSUER_LEN - 1] = 0;
} else if (0 == strncmp((char *)pStart, HEADER_CONTENT_NAME, HEADER_CONTENT_NAME_LEN)) {
if ((pEnd - pStart - HEADER_CONTENT_NAME_LEN) >= MAX_CONTENT_NAME_LEN)
return FALSE;
strncpy((char *)pDcfInfo->Content_Name,
(char *)(pStart + HEADER_CONTENT_NAME_LEN),
pEnd - pStart - HEADER_CONTENT_NAME_LEN);
else if (0 == strncmp((char *)pStart, HEADER_CONTENT_DESCRIPTION, HEADER_CONTENT_DESCRIPTION_LEN))
pDcfInfo->Content_Name[MAX_CONTENT_NAME_LEN - 1] = 0;
} else if (0 == strncmp((char *)pStart, HEADER_CONTENT_DESCRIPTION, HEADER_CONTENT_DESCRIPTION_LEN)) {
if ((pEnd - pStart - HEADER_CONTENT_DESCRIPTION_LEN) >= MAX_CONTENT_DESCRIPTION_LEN)
return FALSE;
strncpy((char *)pDcfInfo->ContentDescription,
(char *)(pStart + HEADER_CONTENT_DESCRIPTION_LEN),
pEnd - pStart - HEADER_CONTENT_DESCRIPTION_LEN);
else if (0 == strncmp((char *)pStart, HEADER_CONTENT_VENDOR, HEADER_CONTENT_VENDOR_LEN))
pDcfInfo->ContentDescription[MAX_CONTENT_DESCRIPTION_LEN - 1] = 0;
} else if (0 == strncmp((char *)pStart, HEADER_CONTENT_VENDOR, HEADER_CONTENT_VENDOR_LEN)) {
if ((pEnd - pStart - HEADER_CONTENT_VENDOR_LEN) >= MAX_CONTENT_VENDOR_LEN)
return FALSE;
strncpy((char *)pDcfInfo->ContentVendor,
(char *)(pStart + HEADER_CONTENT_VENDOR_LEN),
pEnd - pStart - HEADER_CONTENT_VENDOR_LEN);
else if (0 == strncmp((char *)pStart, HEADER_ICON_URI, HEADER_ICON_URI_LEN))
pDcfInfo->ContentVendor[MAX_CONTENT_VENDOR_LEN - 1] = 0;
} else if (0 == strncmp((char *)pStart, HEADER_ICON_URI, HEADER_ICON_URI_LEN)) {
if ((pEnd - pStart - HEADER_ICON_URI_LEN) >= MAX_ICON_URI_LEN)
return FALSE;
strncpy((char *)pDcfInfo->Icon_URI,
(char *)(pStart + HEADER_ICON_URI_LEN),
pEnd - pStart - HEADER_ICON_URI_LEN);
pDcfInfo->Icon_URI[MAX_ICON_URI_LEN - 1] = 0;
}
if ('\n' == *(pEnd + 1))
pStart = pEnd + 2; /* Two bytes: a '\r' and a '\n' */

10
media/libdrm/mobile1/src/parser/parser_dm.c
View File

@ -90,7 +90,10 @@ int32_t drm_parseDM(const uint8_t *buffer, int32_t bufferLen, T_DRM_DM_Info *pDm
/* if can not find the CRLF, return FALSE */
if (NULL == pEnd)
return FALSE;
if ((pEnd - pStart) >= MAX_CONTENT_BOUNDARY_LEN)
return FALSE;
strncpy((char *)pDmInfo->boundary, (char *)pStart, pEnd - pStart);
pDmInfo->boundary[MAX_CONTENT_BOUNDARY_LEN - 1] = 0;
boundaryLen = strlen((char *)pDmInfo->boundary) + 2; /* 2 means: '\r' and '\n' */
pEnd += 2; /* skip the '\r' and '\n' */
@ -126,6 +129,8 @@ int32_t drm_parseDM(const uint8_t *buffer, int32_t bufferLen, T_DRM_DM_Info *pDm
DRM_SKIP_SPACE_TAB(pStart);
if (pEnd - pStart > 0) {
if ((pEnd - pStart) >= MAX_CONTENT_TYPE_LEN)
return FALSE;
strncpy((char *)pDmInfo->contentType, (char *)pStart, pEnd - pStart);
pDmInfo->contentType[pEnd - pStart] = '\0';
}
@ -146,13 +151,16 @@ int32_t drm_parseDM(const uint8_t *buffer, int32_t bufferLen, T_DRM_DM_Info *pDm
/* Change the format from <...> to cid:... */
if (NULL != (pTmp = (uint8_t *)memchr((char *)pStart, '<', pEnd - pStart))) {
if ((pEnd - pTmp - 1) >= (int) sizeof(tmpBuf))
return FALSE;
strncpy((char *)tmpBuf, (char *)(pTmp + 1), pEnd - pTmp - 1);
tmpBuf[MAX_CONTENT_ID - 1] = 0;
if (NULL != (pTmp = (uint8_t *)memchr((char *)tmpBuf, '>', pEnd - pTmp - 1))) {
*pTmp = '\0';
memset(pDmInfo->contentID, 0, MAX_CONTENT_ID);
sprintf((char *)pDmInfo->contentID, "%s%s", "cid:", (int8_t *)tmpBuf);
snprintf((char *)pDmInfo->contentID, MAX_CONTENT_ID, "%s%s", "cid:", (int8_t *)tmpBuf);
}
}
}