From aefc5f83f7de651e3a37e7e1781bfaef46dab9c4 Mon Sep 17 00:00:00 2001 From: Ben Ford Date: Wed, 30 Nov 2022 11:28:16 -0600 Subject: [PATCH] Merge pull request from GHSA-fq45-m3f7-3mhj * Initial patch * Use 'pj_scan_is_eof(scanner)' Co-authored-by: Aaron Lichtman * Use 'pj_scan_is_eof(scanner)' Co-authored-by: Aaron Lichtman * Use 'pj_scan_is_eof(scanner)' Co-authored-by: Aaron Lichtman * Use `!pj_scan_is_eof` instead of manually checking `scanner->curptr < scanner->end` Co-authored-by: Maksim Mukosey * Update pjlib-util/src/pjlib-util/scanner.c Co-authored-by: Aaron Lichtman * Update pjlib-util/src/pjlib-util/scanner.c Co-authored-by: Aaron Lichtman * Update pjlib-util/src/pjlib-util/scanner.c Co-authored-by: Aaron Lichtman * Revert '>=' back to '>' in pj_scan_stricmp_alnum() * Fix error compiles. Co-authered-by: sauwming Co-authored-by: Nanang Izzuddin Co-authored-by: Aaron Lichtman Co-authored-by: Maksim Mukosey --- pjlib-util/src/pjlib-util/scanner.c | 41 +++++++++++++++++++---------- pjmedia/src/pjmedia/rtp.c | 11 +++++--- pjmedia/src/pjmedia/sdp.c | 24 ++++++++++------- 3 files changed, 48 insertions(+), 28 deletions(-) diff --git a/pjlib-util/src/pjlib-util/scanner.c b/pjlib-util/src/pjlib-util/scanner.c index c18b74c55..ea27bbec9 100644 --- a/pjlib-util/src/pjlib-util/scanner.c +++ b/pjlib-util/src/pjlib-util/scanner.c @@ -195,7 +195,13 @@ PJ_DEF(void) pj_scan_skip_whitespace( pj_scanner *scanner ) PJ_DEF(void) pj_scan_skip_line( pj_scanner *scanner ) { - char *s = pj_ansi_strchr(scanner->curptr, '\n'); + char *s; + + if (pj_scan_is_eof(scanner)) { + return; + } + + s = pj_memchr(scanner->curptr, '\n', scanner->end - scanner->curptr); if (!s) { scanner->curptr = scanner->end; } else { @@ -264,8 +270,7 @@ PJ_DEF(void) pj_scan_get( pj_scanner *scanner, pj_assert(pj_cis_match(spec,0)==0); - /* EOF is detected implicitly */ - if (!pj_cis_match(spec, *s)) { + if (pj_scan_is_eof(scanner) || !pj_cis_match(spec, *s)) { pj_scan_syntax_err(scanner); return; } @@ -299,8 +304,7 @@ PJ_DEF(void) pj_scan_get_unescape( pj_scanner *scanner, /* Must not match character '%' */ pj_assert(pj_cis_match(spec,'%')==0); - /* EOF is detected implicitly */ - if (!pj_cis_match(spec, *s) && *s != '%') { + if (pj_scan_is_eof(scanner) || !pj_cis_match(spec, *s) && *s != '%') { pj_scan_syntax_err(scanner); return; } @@ -436,7 +440,9 @@ PJ_DEF(void) pj_scan_get_n( pj_scanner *scanner, scanner->curptr += N; - if (PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && scanner->skip_ws) { + if (!pj_scan_is_eof(scanner) && + PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && scanner->skip_ws) + { pj_scan_skip_whitespace(scanner); } } @@ -462,15 +468,16 @@ PJ_DEF(int) pj_scan_get_char( pj_scanner *scanner ) PJ_DEF(void) pj_scan_get_newline( pj_scanner *scanner ) { - if (!PJ_SCAN_IS_NEWLINE(*scanner->curptr)) { + if (pj_scan_is_eof(scanner) || !PJ_SCAN_IS_NEWLINE(*scanner->curptr)) { pj_scan_syntax_err(scanner); return; } + /* We have checked scanner->curptr validity above */ if (*scanner->curptr == '\r') { ++scanner->curptr; } - if (*scanner->curptr == '\n') { + if (!pj_scan_is_eof(scanner) && *scanner->curptr == '\n') { ++scanner->curptr; } @@ -515,7 +522,9 @@ PJ_DEF(void) pj_scan_get_until( pj_scanner *scanner, scanner->curptr = s; - if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) { + if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) && + scanner->skip_ws) + { pj_scan_skip_whitespace(scanner); } } @@ -539,7 +548,9 @@ PJ_DEF(void) pj_scan_get_until_ch( pj_scanner *scanner, scanner->curptr = s; - if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) { + if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) && + scanner->skip_ws) + { pj_scan_skip_whitespace(scanner); } } @@ -565,7 +576,9 @@ PJ_DEF(void) pj_scan_get_until_chr( pj_scanner *scanner, scanner->curptr = s; - if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) { + if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) && + scanner->skip_ws) + { pj_scan_skip_whitespace(scanner); } } @@ -580,7 +593,9 @@ PJ_DEF(void) pj_scan_advance_n( pj_scanner *scanner, scanner->curptr += N; - if (PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && skip_ws) { + if (!pj_scan_is_eof(scanner) && + PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && skip_ws) + { pj_scan_skip_whitespace(scanner); } } @@ -631,5 +646,3 @@ PJ_DEF(void) pj_scan_restore_state( pj_scanner *scanner, scanner->line = state->line; scanner->start_line = state->start_line; } - - diff --git a/pjmedia/src/pjmedia/rtp.c b/pjmedia/src/pjmedia/rtp.c index 6c571010c..c987cd0ad 100644 --- a/pjmedia/src/pjmedia/rtp.c +++ b/pjmedia/src/pjmedia/rtp.c @@ -183,6 +183,11 @@ PJ_DEF(pj_status_t) pjmedia_rtp_decode_rtp2( /* Payload is located right after header plus CSRC */ offset = sizeof(pjmedia_rtp_hdr) + ((*hdr)->cc * sizeof(pj_uint32_t)); + /* Check that offset is less than packet size */ + if (offset >= pkt_len) { + return PJMEDIA_RTP_EINLEN; + } + /* Decode RTP extension. */ if ((*hdr)->x) { dec_hdr->ext_hdr = (pjmedia_rtp_ext_hdr*)(((pj_uint8_t*)pkt) + offset); @@ -195,8 +200,8 @@ PJ_DEF(pj_status_t) pjmedia_rtp_decode_rtp2( dec_hdr->ext_len = 0; } - /* Check that offset is less than packet size */ - if (offset > pkt_len) + /* Check again that offset is still less than packet size */ + if (offset >= pkt_len) return PJMEDIA_RTP_EINLEN; /* Find and set payload. */ @@ -386,5 +391,3 @@ void pjmedia_rtp_seq_update( pjmedia_rtp_seq_session *sess, seq_status->status.value = st.status.value; } } - - diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c index c443d863f..f27a1a84f 100644 --- a/pjmedia/src/pjmedia/sdp.c +++ b/pjmedia/src/pjmedia/sdp.c @@ -967,13 +967,13 @@ static void parse_version(pj_scanner *scanner, parse_context *ctx) ctx->last_error = PJMEDIA_SDP_EINVER; /* check equal sign */ - if (*(scanner->curptr+1) != '=') { + if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') { on_scanner_error(scanner); return; } /* check version is 0 */ - if (*(scanner->curptr+2) != '0') { + if (scanner->curptr+2 >= scanner->end || *(scanner->curptr+2) != '0') { on_scanner_error(scanner); return; } @@ -990,7 +990,7 @@ static void parse_origin(pj_scanner *scanner, pjmedia_sdp_session *ses, ctx->last_error = PJMEDIA_SDP_EINORIGIN; /* check equal sign */ - if (*(scanner->curptr+1) != '=') { + if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') { on_scanner_error(scanner); return; } @@ -1036,7 +1036,7 @@ static void parse_time(pj_scanner *scanner, pjmedia_sdp_session *ses, ctx->last_error = PJMEDIA_SDP_EINTIME; /* check equal sign */ - if (*(scanner->curptr+1) != '=') { + if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') { on_scanner_error(scanner); return; } @@ -1064,7 +1064,7 @@ static void parse_generic_line(pj_scanner *scanner, pj_str_t *str, ctx->last_error = PJMEDIA_SDP_EINSDP; /* check equal sign */ - if (*(scanner->curptr+1) != '=') { + if ((scanner->curptr+1 >= scanner->end) || *(scanner->curptr+1) != '=') { on_scanner_error(scanner); return; } @@ -1133,7 +1133,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med, ctx->last_error = PJMEDIA_SDP_EINMEDIA; /* check the equal sign */ - if (*(scanner->curptr+1) != '=') { + if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') { on_scanner_error(scanner); return; } @@ -1148,6 +1148,10 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med, /* port */ pj_scan_get(scanner, &cs_token, &str); med->desc.port = (unsigned short)pj_strtoul(&str); + if (pj_scan_is_eof(scanner)) { + on_scanner_error(scanner); + return; + } if (*scanner->curptr == '/') { /* port count */ pj_scan_get_char(scanner); @@ -1159,7 +1163,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med, } if (pj_scan_get_char(scanner) != ' ') { - PJ_THROW(SYNTAX_ERROR); + on_scanner_error(scanner); } /* transport */ @@ -1167,7 +1171,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med, /* format list */ med->desc.fmt_count = 0; - while (*scanner->curptr == ' ') { + while (scanner->curptr < scanner->end && *scanner->curptr == ' ') { pj_str_t fmt; pj_scan_get_char(scanner); @@ -1207,7 +1211,7 @@ static pjmedia_sdp_attr *parse_attr( pj_pool_t *pool, pj_scanner *scanner, attr = PJ_POOL_ALLOC_T(pool, pjmedia_sdp_attr); /* check equal sign */ - if (*(scanner->curptr+1) != '=') { + if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') { on_scanner_error(scanner); return NULL; } @@ -1226,7 +1230,7 @@ static pjmedia_sdp_attr *parse_attr( pj_pool_t *pool, pj_scanner *scanner, pj_scan_get_char(scanner); /* get value */ - if (*scanner->curptr != '\r' && *scanner->curptr != '\n') { + if (!pj_scan_is_eof(scanner) && *scanner->curptr != '\r' && *scanner->curptr != '\n') { pj_scan_get_until_chr(scanner, "\r\n", &attr->value); } else { attr->value.ptr = NULL; -- 2.25.1