From: Aurelien David Date: Thu, 11 Apr 2019 12:18:58 +0000 (+0200) Subject: [PATCH] fix a bunch of vsprintf -> vsnprintf X-Git-Tag: archive/raspbian/1.0.1+dfsg1-4+rpi1~1^2^2^2~2 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=345dfd136338d3308c027b6b72286688cf875ec0;p=gpac.git [PATCH] fix a bunch of vsprintf -> vsnprintf closes #1203 Gbp-Pq: Name CVE-2019-11221.patch --- diff --git a/applications/mp4client/main.c b/applications/mp4client/main.c index 63b4651..316ebfb 100644 --- a/applications/mp4client/main.c +++ b/applications/mp4client/main.c @@ -1038,7 +1038,7 @@ static void on_gpac_log(void *cbk, GF_LOG_Level ll, GF_LOG_Tool lm, const char * if (rti_logs && (lm & GF_LOG_RTI)) { char szMsg[2048]; - vsprintf(szMsg, fmt, list); + vsnprintf(szMsg, 2048, fmt, list); UpdateRTInfo(szMsg + 6 /*"[RTI] "*/); } else { if (log_time_start) { diff --git a/src/media_tools/media_export.c b/src/media_tools/media_export.c index 23f20b3..e9a7849 100644 --- a/src/media_tools/media_export.c +++ b/src/media_tools/media_export.c @@ -57,7 +57,7 @@ static GF_Err gf_export_message(GF_MediaExporter *dumper, GF_Err e, char *format va_list args; char szMsg[1024]; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 1024, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_AUTHOR, ("%s\n", szMsg) ); } diff --git a/src/media_tools/media_import.c b/src/media_tools/media_import.c index 332d0e4..77c62e1 100644 --- a/src/media_tools/media_import.c +++ b/src/media_tools/media_import.c @@ -52,7 +52,7 @@ GF_Err gf_import_message(GF_MediaImporter *import, GF_Err e, char *format, ...) va_list args; char szMsg[1024]; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 1024, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_WARNING : GF_LOG_INFO), GF_LOG_AUTHOR, ("%s\n", szMsg) ); } diff --git a/src/scene_manager/loader_bt.c b/src/scene_manager/loader_bt.c index 3c71fdf..46e92a5 100644 --- a/src/scene_manager/loader_bt.c +++ b/src/scene_manager/loader_bt.c @@ -121,7 +121,7 @@ static GF_Err gf_bt_report(GF_BTParser *parser, GF_Err e, char *format, ...) char szMsg[2048]; va_list args; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 2048, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[BT/WRL Parsing] %s (line %d)\n", szMsg, parser->line)); } diff --git a/src/scene_manager/loader_isom.c b/src/scene_manager/loader_isom.c index db01a95..8902aa0 100644 --- a/src/scene_manager/loader_isom.c +++ b/src/scene_manager/loader_isom.c @@ -144,7 +144,7 @@ static void mp4_report(GF_SceneLoader *load, GF_Err e, char *format, ...) char szMsg[1024]; va_list args; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 1024, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[MP4 Loading] %s\n", szMsg) ); } diff --git a/src/scene_manager/loader_qt.c b/src/scene_manager/loader_qt.c index 661b450..e7382c9 100644 --- a/src/scene_manager/loader_qt.c +++ b/src/scene_manager/loader_qt.c @@ -40,7 +40,7 @@ static GF_Err gf_qt_report(GF_SceneLoader *load, GF_Err e, char *format, ...) char szMsg[1024]; va_list args; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 1024, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[QT Parsing] %s\n", szMsg) ); } diff --git a/src/scene_manager/loader_svg.c b/src/scene_manager/loader_svg.c index 62fe8a7..d91450b 100644 --- a/src/scene_manager/loader_svg.c +++ b/src/scene_manager/loader_svg.c @@ -134,7 +134,7 @@ static GF_Err svg_report(GF_SVG_Parser *parser, GF_Err e, char *format, ...) char szMsg[2048]; va_list args; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 2048, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[SVG Parsing] line %d - %s\n", gf_xml_sax_get_line(parser->sax_parser), szMsg)); } diff --git a/src/scene_manager/loader_xmt.c b/src/scene_manager/loader_xmt.c index f941943..f8b9f9a 100644 --- a/src/scene_manager/loader_xmt.c +++ b/src/scene_manager/loader_xmt.c @@ -144,7 +144,7 @@ static GF_Err xmt_report(GF_XMTParser *parser, GF_Err e, char *format, ...) char szMsg[2048]; va_list args; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 2048, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[XMT Parsing] %s (line %d)\n", szMsg, gf_xml_sax_get_line(parser->sax_parser)) ); } diff --git a/src/scene_manager/swf_parse.c b/src/scene_manager/swf_parse.c index 1545cd6..a1d5d87 100644 --- a/src/scene_manager/swf_parse.c +++ b/src/scene_manager/swf_parse.c @@ -2428,7 +2428,7 @@ void swf_report(SWFReader *read, GF_Err e, char *format, ...) char szMsg[2048]; va_list args; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 2048, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[SWF Parsing] %s (frame %d)\n", szMsg, read->current_frame+1) ); } diff --git a/src/scene_manager/swf_svg.c b/src/scene_manager/swf_svg.c index edc563e..28397ca 100644 --- a/src/scene_manager/swf_svg.c +++ b/src/scene_manager/swf_svg.c @@ -51,7 +51,7 @@ static void swf_svg_print(SWFReader *read, const char *format, ...) { /* print the line */ va_start(args, format); - vsprintf(line, format, args); + vsnprintf(line, 2000, format, args); va_end(args); /* add the line to the buffer */ line_length = (u32)strlen(line); diff --git a/src/scenegraph/xbl_process.c b/src/scenegraph/xbl_process.c index 21ef3a0..216f7d3 100644 --- a/src/scenegraph/xbl_process.c +++ b/src/scenegraph/xbl_process.c @@ -61,7 +61,7 @@ static GF_Err xbl_parse_report(GF_XBL_Parser *parser, GF_Err e, char *format, .. char szMsg[2048]; va_list args; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 2048, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[XBL Parsing] line %d - %s\n", gf_xml_sax_get_line(parser->sax_parser), szMsg)); } diff --git a/src/utils/alloc.c b/src/utils/alloc.c index 1701166..0c8c960 100644 --- a/src/utils/alloc.c +++ b/src/utils/alloc.c @@ -815,7 +815,7 @@ static void gf_memory_log(unsigned int level, const char *fmt, ...) char msg[1024]; assert(strlen(fmt) < 200); va_start(vl, fmt); - vsprintf(msg, fmt, vl); + vsnprintf(msg, 1024, fmt, vl); GF_LOG(level, GF_LOG_MEMORY, (msg)); va_end(vl); } diff --git a/src/utils/xml_parser.c b/src/utils/xml_parser.c index 915a51a..b153a47 100644 --- a/src/utils/xml_parser.c +++ b/src/utils/xml_parser.c @@ -220,14 +220,16 @@ static void format_sax_error(GF_SAXParser *parser, u32 linepos, const char* fmt, char szM[20]; va_start(args, fmt); - vsprintf(parser->err_msg, fmt, args); + vsnprintf(parser->err_msg, ARRAY_LENGTH(parser->err_msg), fmt, args); va_end(args); - sprintf(szM, " - Line %d: ", parser->line + 1); - strcat(parser->err_msg, szM); - len = (u32) strlen(parser->err_msg); - strncpy(parser->err_msg + len, parser->buffer+ (linepos ? linepos : parser->current_pos), 10); - parser->err_msg[len + 10] = 0; + if (strlen(parser->err_msg)+30 < ARRAY_LENGTH(parser->err_msg)) { + snprintf(szM, 20, " - Line %d: ", parser->line + 1); + strcat(parser->err_msg, szM); + len = (u32) strlen(parser->err_msg); + strncpy(parser->err_msg + len, parser->buffer+ (linepos ? linepos : parser->current_pos), 10); + parser->err_msg[len + 10] = 0; + } parser->sax_state = SAX_STATE_SYNTAX_ERROR; }