2018-11-07 Fred Gleason <fredg@paravelsystems.com>

* Fixed buffer overflow bugs in the rd_export(7) rivcwebapi call. * Fixed buffer overflow bugs in the rd_listservices(7) rivcwebapi call. * Fixed buffer overflow bugs in the rd_trimaudio(7) rivcwebapi call.
2025-05-30 07:32:32 +02:00 · 2018-11-07 14:13:11 -05:00 · 2018-11-07 14:13:11 -05:00 · e05d707ed5
commit e05d707ed5
parent 767654a751
6 changed files with 22 additions and 17 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,6 +3,7 @@
 *.5
 *.8
 *.cgi
+*.dll
 *.exe
 *.la
 *.lib
--- a/4
+++ b/4
@ -17984,3 +17984,7 @@
 2018-11-05 Patrick Linstruth <patrick@deltecent.com>
 	* Update macro editor in rdlibrary(1) to fix display of
 	"--- End of cart ---" item and improve buttons and permissions.
+2018-11-07 Fred Gleason <fredg@paravelsystems.com>
+	* Fixed buffer overflow bugs in the rd_export(7) rivcwebapi call.
+	* Fixed buffer overflow bugs in the rd_listservices(7) rivcwebapi call.
+	* Fixed buffer overflow bugs in the rd_trimaudio(7) rivcwebapi call.
--- a/apis/rivwebcapi/rivwebcapi/rd_export.c
+++ b/apis/rivwebcapi/rivwebcapi/rd_export.c
@ -27,10 +27,11 @@
 #include "rd_getuseragent.h"
 #include "rd_export.h"

-size_t write_data( void *ptr, size_t size, size_t nmemb, FILE *stream)
+size_t write_data( void *ptr, size_t size, size_t nmemb, void *userdata)
 {
  size_t written;
-  written = fwrite(ptr,size,nmemb,stream);
+
+  written = fwrite(ptr,size,nmemb,(FILE *)userdata);
  return written;
 }

@ -66,6 +67,7 @@ int RD_ExportCart( const char hostname[],
  CURLcode res;
  char user_agent_string[255];
  char cart_buffer[7];
+  char point[14];
  struct curl_httppost *first=NULL;
  struct curl_httppost *last=NULL;

@ -140,7 +142,7 @@ int RD_ExportCart( const char hostname[],
 	cart_buffer,
 	CURLFORM_END);

-  snprintf(cart_buffer,7,"%u",format);
+  snprintf(cart_buffer,7,"%d",format);
  curl_formadd(&first,
 	&last,
 	CURLFORM_PTRNAME,
@ -149,7 +151,7 @@ int RD_ExportCart( const char hostname[],
 	cart_buffer,
 	CURLFORM_END);

-  snprintf(cart_buffer,7,"%u",channels);
+  snprintf(cart_buffer,7,"%d",channels);
  curl_formadd(&first,
 	&last,
 	CURLFORM_PTRNAME,
@ -158,7 +160,7 @@ int RD_ExportCart( const char hostname[],
 	cart_buffer,
 	CURLFORM_END);

-  snprintf(cart_buffer,7,"%u",sample_rate);
+  snprintf(cart_buffer,7,"%d",sample_rate);
  curl_formadd(&first,
 	&last,
 	CURLFORM_PTRNAME,
@ -167,7 +169,7 @@ int RD_ExportCart( const char hostname[],
 	cart_buffer,
 	CURLFORM_END);

-  snprintf(cart_buffer,7,"%u",bit_rate);
+  snprintf(cart_buffer,7,"%d",bit_rate);
  curl_formadd(&first,
 	&last,
 	CURLFORM_PTRNAME,
@ -176,7 +178,7 @@ int RD_ExportCart( const char hostname[],
 	cart_buffer,
 	CURLFORM_END);

-  snprintf(cart_buffer,7,"%u",quality);
+  snprintf(cart_buffer,7,"%d",quality);
  curl_formadd(&first,
 	&last,
 	CURLFORM_PTRNAME,
@ -185,25 +187,25 @@ int RD_ExportCart( const char hostname[],
 	cart_buffer,
 	CURLFORM_END);

-  snprintf(cart_buffer,7,"%u",start_point);
+  snprintf(point,13,"%d",start_point);
  curl_formadd(&first,
 	&last,
 	CURLFORM_PTRNAME,
 	"START_POINT",
        CURLFORM_COPYCONTENTS, 
-	cart_buffer,
+	point,
 	CURLFORM_END);

-  snprintf(cart_buffer,7,"%u",end_point);
+  snprintf(point,13,"%d",end_point);
  curl_formadd(&first,
 	&last,
 	CURLFORM_PTRNAME,
 	"END_POINT",
        CURLFORM_COPYCONTENTS, 
-	cart_buffer,
+	point,
 	CURLFORM_END);

-  snprintf(cart_buffer,7,"%u",normalization_level);
+  snprintf(cart_buffer,7,"%d",normalization_level);
  curl_formadd(&first,
 	&last,
 	CURLFORM_PTRNAME,
@ -212,7 +214,7 @@ int RD_ExportCart( const char hostname[],
 	cart_buffer,
 	CURLFORM_END);

-  snprintf(cart_buffer,7,"%u",enable_metadata);
+  snprintf(cart_buffer,7,"%d",enable_metadata);
  curl_formadd(&first,
 	&last,
 	CURLFORM_PTRNAME,
--- a/apis/rivwebcapi/rivwebcapi/rd_listservices.c
+++ b/apis/rivwebcapi/rivwebcapi/rd_listservices.c
@ -157,7 +157,7 @@ int RD_ListServices(struct rd_service *services[],
        ticket,
 	CURLFORM_END);

-  snprintf(cart_buffer,7,"%u",trackable);
+  snprintf(cart_buffer,7,"%d",trackable);
  curl_formadd(&first,
 	&last,
 	CURLFORM_PTRNAME,
--- a/apis/rivwebcapi/rivwebcapi/rd_trimaudio.c
+++ b/apis/rivwebcapi/rivwebcapi/rd_trimaudio.c
@ -183,7 +183,7 @@ int RD_TrimAudio(struct rd_trimaudio *trimaudio[],
 	buffer,
 	CURLFORM_END);

-  snprintf(buffer,1024,"%u",trimlevel);
+  snprintf(buffer,1024,"%d",trimlevel);
  curl_formadd(&first,
 	&last,
 	CURLFORM_PTRNAME,
--- a/apis/rivwebcapi/tests/exportcart_test.c
+++ b/apis/rivwebcapi/tests/exportcart_test.c
@ -101,7 +101,6 @@ int main(int argc,char *argv[])
  //
  // Call the function
  //
-  
  int result=RD_ExportCart( host,
 		user,
 		passwd,
@ -119,7 +118,6 @@ int main(int argc,char *argv[])
 		0,
                filename,
                user_agent);
-
  if(result<0) {
    fprintf(stderr,"Something went wrong! Result Code = %d\n",result);
    exit(256);