Check some unsanitized network inputs before allocating memory using them.

author Carl Hetherington <cth@carlh.net>

Sat, 28 Oct 2023 21:03:24 +0000 (23:03 +0200)

committer Carl Hetherington <cth@carlh.net>

Sat, 28 Oct 2023 21:03:24 +0000 (23:03 +0200)
author Carl Hetherington <cth@carlh.net>
Sat, 28 Oct 2023 21:03:24 +0000 (23:03 +0200)
committer Carl Hetherington <cth@carlh.net>
Sat, 28 Oct 2023 21:03:24 +0000 (23:03 +0200)
diff --git a/src/lib/encode_server.cc b/src/lib/encode_server.cc

index 6501dcde15bed5b6a5af3d7b5275415370284769..036ea58a5df92b94cb5cde24e6a7666be195f3a4 100644 (file)
--- a/src/lib/encode_server.cc
+++ b/src/lib/encode_server.cc
@@ -126,6 +126,10 @@ EncodeServer::process (shared_ptr<Socket> socket, struct timeval& after_read, st
         Socket::ReadDigestScope ds (socket);
  
         auto length = socket->read_uint32 ();
+       if (length > 65536) {
+               throw NetworkError("Malformed encode request (too large)");
+       }
+
         scoped_array<char> buffer (new char[length]);
         socket->read (reinterpret_cast<uint8_t*>(buffer.get()), length);
  
diff --git a/src/lib/encode_server_finder.cc b/src/lib/encode_server_finder.cc

index 3f5cb74f01bddbe659dc2360446d454bdbe06725..1d4ced5951f01315306259a861bf2c5645b94aa5 100644 (file)
--- a/src/lib/encode_server_finder.cc
+++ b/src/lib/encode_server_finder.cc
@@ -227,6 +227,11 @@ EncodeServerFinder::handle_accept (boost::system::error_code ec)
                 _accept_socket->read (reinterpret_cast<uint8_t*>(&length), sizeof(uint32_t));
                 length = ntohl (length);
  
+               if (length > 65536) {
+                       start_accept();
+                       return;
+               }
+
                 scoped_array<char> buffer(new char[length]);
                 _accept_socket->read (reinterpret_cast<uint8_t*>(buffer.get()), length);
                 server_available = buffer.get();
diff --git a/src/tools/dcpomatic_batch.cc b/src/tools/dcpomatic_batch.cc

index dc092bf8ca1c06976a769cbc128daf22a6e0fcc6..3114768aca497c5f03bd8ebc4845b239ffb6b2b9 100644 (file)
--- a/src/tools/dcpomatic_batch.cc
+++ b/src/tools/dcpomatic_batch.cc
@@ -402,12 +402,14 @@ public:
         void handle (shared_ptr<Socket> socket) override
         {
                 try {
-                       int const length = socket->read_uint32 ();
-                       scoped_array<char> buffer(new char[length]);
-                       socket->read (reinterpret_cast<uint8_t*>(buffer.get()), length);
-                       string s (buffer.get());
-                       emit(boost::bind(boost::ref(StartJob), s));
-                       socket->write (reinterpret_cast<uint8_t const *>("OK"), 3);
+                       auto const length = socket->read_uint32();
+                       if (length < 65536) {
+                               scoped_array<char> buffer(new char[length]);
+                               socket->read(reinterpret_cast<uint8_t*>(buffer.get()), length);
+                               string s(buffer.get());
+                               emit(boost::bind(boost::ref(StartJob), s));
+                               socket->write (reinterpret_cast<uint8_t const *>("OK"), 3);
+                       }
                 } catch (...) {
  
                 }
diff --git a/src/tools/dcpomatic_player.cc b/src/tools/dcpomatic_player.cc

index 88b0f839df0e540069bedfc00b9dc9f5d1797f6c..5dd0a0afe9f7b967bed8907a1d5cc280d6b38f72 100644 (file)
--- a/src/tools/dcpomatic_player.cc
+++ b/src/tools/dcpomatic_player.cc
@@ -1140,7 +1140,10 @@ public:
         void handle (shared_ptr<Socket> socket) override
         {
                 try {
-                       int const length = socket->read_uint32 ();
+                       uint32_t const length = socket->read_uint32 ();
+                       if (length > 65536) {
+                               return;
+                       }
                         scoped_array<char> buffer (new char[length]);
                         socket->read (reinterpret_cast<uint8_t*> (buffer.get()), length);
                         string s (buffer.get());
author	Carl Hetherington <cth@carlh.net>
	Sat, 28 Oct 2023 21:03:24 +0000 (23:03 +0200)
committer	Carl Hetherington <cth@carlh.net>
	Sat, 28 Oct 2023 21:03:24 +0000 (23:03 +0200)
src/lib/encode_server.cc		patch \| blob \| history
src/lib/encode_server_finder.cc		patch \| blob \| history
src/tools/dcpomatic_batch.cc		patch \| blob \| history
src/tools/dcpomatic_player.cc		patch \| blob \| history