diff --git a/modules/services_discovery/sap.c b/modules/services_discovery/sap.c index 4b3ea98acf..40d4466672 100644 --- a/modules/services_discovery/sap.c +++ b/modules/services_discovery/sap.c @@ -587,10 +587,12 @@ static int Control( demux_t *p_demux, int i_query, va_list args ) * Local functions **************************************************************/ +/* i_read is at least > 6 */ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read ) { int i_version, i_address_type, i_hash, i; uint8_t *psz_sdp; + uint8_t *psz_initial_sdp; sdp_t *p_sdp; vlc_bool_t b_compressed; vlc_bool_t b_need_delete = VLC_FALSE; @@ -638,14 +640,25 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read ) } psz_sdp = &p_buffer[4]; + psz_initial_sdp = psz_sdp; if( i_address_type == 0 ) /* ipv4 source address */ { psz_sdp += 4; + if( i_read <= 9 ) + { + msg_Warn( p_sd,"too short SAP packet\n" ); + return VLC_EGENERIC; + } } else /* ipv6 source address */ { psz_sdp += 16; + if( i_read <= 21 ) + { + msg_Warn( p_sd,"too short SAP packet\n" ); + return VLC_EGENERIC; + } } if( b_compressed ) @@ -666,12 +679,21 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read ) } /* Add the size of authentification info */ + if( i_read < p_buffer[1] + (psz_sdp - psz_initial_sdp ) ) + { + msg_Warn( p_sd, "too short SAP packet\n"); + return VLC_EGENERIC; + } psz_sdp += p_buffer[1]; /* Skip payload type */ /* Handle announces without \0 between SAP and SDP */ while( *psz_sdp != '\0' && ( psz_sdp[0] != 'v' && psz_sdp[1] != '=' ) ) { + if( psz_sdp - psz_initial_sdp >= i_read - 5 ) + { + msg_Warn( p_sd, "empty SDP ?"); + } psz_sdp++; } @@ -680,7 +702,6 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read ) psz_sdp++; } - /* Parse SDP info */ p_sdp = ParseSDP( VLC_OBJECT(p_sd), psz_sdp ); diff --git a/src/playlist/item-ext.c b/src/playlist/item-ext.c index cd6c6c7337..aebba71cd0 100644 --- a/src/playlist/item-ext.c +++ b/src/playlist/item-ext.c @@ -226,7 +226,6 @@ int playlist_AddItem( playlist_t *p_playlist, playlist_item_t *p_item, p_add->i_view = VIEW_SIMPLE; val.p_address = p_add; var_Set( p_playlist, "item-append", val ); - } else { diff --git a/src/playlist/view.c b/src/playlist/view.c index dd62aa4b13..a7e3b155f5 100644 --- a/src/playlist/view.c +++ b/src/playlist/view.c @@ -401,6 +401,7 @@ int playlist_NodeInsert( playlist_t *p_playlist, if( !p_parent || p_parent->i_children == -1 ) { msg_Err( p_playlist, "invalid node" ); + return VLC_EGENERIC; } if( i_position == -1 ) i_position = p_parent->i_children ; @@ -510,22 +511,20 @@ int playlist_NodeChildrenCount( playlist_t *p_playlist, playlist_item_t*p_node) playlist_item_t *playlist_ChildSearchName( playlist_item_t *p_node, const char *psz_search ) { - int i; + int i; - if( p_node->i_children < 0 ) - { - return NULL; - } - - for( i = 0 ; i< p_node->i_children; i++ ) - { - if( !strncmp( p_node->pp_children[i]->input.psz_name, psz_search, - strlen( p_node->pp_children[i]->input.psz_name ) ) ) + if( p_node->i_children < 0 ) + { + return NULL; + } + for( i = 0 ; i< p_node->i_children; i++ ) + { + if( !strcmp( p_node->pp_children[i]->input.psz_name, psz_search ) ) { return p_node->pp_children[i]; } - } - return NULL; + } + return NULL; }