am 6d8f5b75: libdrm: fix bad strncpy / snprintf calls (f3a5323c) · Commits · e / os / android_frameworks_base

media/libdrm/mobile1/src/parser/parser_dcf.c

+34 −6

Original line number	Diff line number	Diff line
		@@ -58,11 +58,20 @@ int32_t drm_dcfParser(uint8_t buffer, int32_t bufferLen, T_DRM_DCF_Info pDcfIn
		pDcfInfo->Version = *(tmpBuf++);
		if (0x01 != pDcfInfo->Version) /* Because it is OMA DRM v1.0, the vension must be 1 */
		return FALSE;

		pDcfInfo->ContentTypeLen = *(tmpBuf++);
		if (pDcfInfo->ContentTypeLen >= MAX_CONTENT_TYPE_LEN)
		return FALSE;

		pDcfInfo->ContentURILen = *(tmpBuf++);
		if (pDcfInfo->ContentURILen >= MAX_CONTENT_URI_LEN)
		return FALSE;

		strncpy((char )pDcfInfo->ContentType, (char )tmpBuf, pDcfInfo->ContentTypeLen);
		pDcfInfo->ContentType[MAX_CONTENT_TYPE_LEN - 1] = 0;
		tmpBuf += pDcfInfo->ContentTypeLen;
		strncpy((char )pDcfInfo->ContentURI, (char )tmpBuf, pDcfInfo->ContentURILen);
		pDcfInfo->ContentURI[MAX_CONTENT_URI_LEN - 1] = 0;
		tmpBuf += pDcfInfo->ContentURILen;

		/* 2. Get the headers length and data length */
		@@ -86,30 +95,49 @@ int32_t drm_dcfParser(uint8_t buffer, int32_t bufferLen, T_DRM_DCF_Info pDcfIn
		while ('\r' != *pEnd && pEnd < pData)
		pEnd++;

		if (0 == strncmp((char *)pStart, HEADER_ENCRYPTION_METHOD, HEADER_ENCRYPTION_METHOD_LEN))
		if (0 == strncmp((char *)pStart, HEADER_ENCRYPTION_METHOD, HEADER_ENCRYPTION_METHOD_LEN)) {
		if ((pEnd - pStart - HEADER_ENCRYPTION_METHOD_LEN) >= MAX_ENCRYPTION_METHOD_LEN)
		return FALSE;
		strncpy((char *)pDcfInfo->Encryption_Method,
		(char *)(pStart + HEADER_ENCRYPTION_METHOD_LEN),
		pEnd - pStart - HEADER_ENCRYPTION_METHOD_LEN);
		else if (0 == strncmp((char *)pStart, HEADER_RIGHTS_ISSUER, HEADER_RIGHTS_ISSUER_LEN))
		pDcfInfo->Encryption_Method[MAX_ENCRYPTION_METHOD_LEN - 1] = 0;
		} else if (0 == strncmp((char *)pStart, HEADER_RIGHTS_ISSUER, HEADER_RIGHTS_ISSUER_LEN)) {
		if ((pEnd - pStart - HEADER_RIGHTS_ISSUER_LEN) >= MAX_RIGHTS_ISSUER_LEN)
		return FALSE;
		strncpy((char *)pDcfInfo->Rights_Issuer,
		(char *)(pStart + HEADER_RIGHTS_ISSUER_LEN),
		pEnd - pStart - HEADER_RIGHTS_ISSUER_LEN);
		else if (0 == strncmp((char *)pStart, HEADER_CONTENT_NAME, HEADER_CONTENT_NAME_LEN))
		pDcfInfo->Rights_Issuer[MAX_RIGHTS_ISSUER_LEN - 1] = 0;
		} else if (0 == strncmp((char *)pStart, HEADER_CONTENT_NAME, HEADER_CONTENT_NAME_LEN)) {
		if ((pEnd - pStart - HEADER_CONTENT_NAME_LEN) >= MAX_CONTENT_NAME_LEN)
		return FALSE;
		strncpy((char *)pDcfInfo->Content_Name,
		(char *)(pStart + HEADER_CONTENT_NAME_LEN),
		pEnd - pStart - HEADER_CONTENT_NAME_LEN);
		else if (0 == strncmp((char *)pStart, HEADER_CONTENT_DESCRIPTION, HEADER_CONTENT_DESCRIPTION_LEN))
		pDcfInfo->Content_Name[MAX_CONTENT_NAME_LEN - 1] = 0;
		} else if (0 == strncmp((char *)pStart, HEADER_CONTENT_DESCRIPTION, HEADER_CONTENT_DESCRIPTION_LEN)) {
		if ((pEnd - pStart - HEADER_CONTENT_DESCRIPTION_LEN) >= MAX_CONTENT_DESCRIPTION_LEN)
		return FALSE;
		strncpy((char *)pDcfInfo->ContentDescription,
		(char *)(pStart + HEADER_CONTENT_DESCRIPTION_LEN),
		pEnd - pStart - HEADER_CONTENT_DESCRIPTION_LEN);
		else if (0 == strncmp((char *)pStart, HEADER_CONTENT_VENDOR, HEADER_CONTENT_VENDOR_LEN))
		pDcfInfo->ContentDescription[MAX_CONTENT_DESCRIPTION_LEN - 1] = 0;
		} else if (0 == strncmp((char *)pStart, HEADER_CONTENT_VENDOR, HEADER_CONTENT_VENDOR_LEN)) {
		if ((pEnd - pStart - HEADER_CONTENT_VENDOR_LEN) >= MAX_CONTENT_VENDOR_LEN)
		return FALSE;
		strncpy((char *)pDcfInfo->ContentVendor,
		(char *)(pStart + HEADER_CONTENT_VENDOR_LEN),
		pEnd - pStart - HEADER_CONTENT_VENDOR_LEN);
		else if (0 == strncmp((char *)pStart, HEADER_ICON_URI, HEADER_ICON_URI_LEN))
		pDcfInfo->ContentVendor[MAX_CONTENT_VENDOR_LEN - 1] = 0;
		} else if (0 == strncmp((char *)pStart, HEADER_ICON_URI, HEADER_ICON_URI_LEN)) {
		if ((pEnd - pStart - HEADER_ICON_URI_LEN) >= MAX_ICON_URI_LEN)
		return FALSE;
		strncpy((char *)pDcfInfo->Icon_URI,
		(char *)(pStart + HEADER_ICON_URI_LEN),
		pEnd - pStart - HEADER_ICON_URI_LEN);
		pDcfInfo->Icon_URI[MAX_ICON_URI_LEN - 1] = 0;
		}

		if ('\n' == *(pEnd + 1))
		pStart = pEnd + 2; /* Two bytes: a '\r' and a '\n' */

media/libdrm/mobile1/src/parser/parser_dm.c

+9 −1

Original line number	Diff line number	Diff line
		@@ -90,7 +90,10 @@ int32_t drm_parseDM(const uint8_t buffer, int32_t bufferLen, T_DRM_DM_Info pDm
		/* if can not find the CRLF, return FALSE */
		if (NULL == pEnd)
		return FALSE;
		if ((pEnd - pStart) >= MAX_CONTENT_BOUNDARY_LEN)
		return FALSE;
		strncpy((char )pDmInfo->boundary, (char )pStart, pEnd - pStart);
		pDmInfo->boundary[MAX_CONTENT_BOUNDARY_LEN - 1] = 0;
		boundaryLen = strlen((char )pDmInfo->boundary) + 2; / 2 means: '\r' and '\n' */

		pEnd += 2; /* skip the '\r' and '\n' */
		@@ -126,6 +129,8 @@ int32_t drm_parseDM(const uint8_t buffer, int32_t bufferLen, T_DRM_DM_Info pDm
		DRM_SKIP_SPACE_TAB(pStart);

		if (pEnd - pStart > 0) {
		if ((pEnd - pStart) >= MAX_CONTENT_TYPE_LEN)
		return FALSE;
		strncpy((char )pDmInfo->contentType, (char )pStart, pEnd - pStart);
		pDmInfo->contentType[pEnd - pStart] = '\0';
		}
		@@ -146,13 +151,16 @@ int32_t drm_parseDM(const uint8_t buffer, int32_t bufferLen, T_DRM_DM_Info pDm

		/* Change the format from <...> to cid:... */
		if (NULL != (pTmp = (uint8_t )memchr((char )pStart, '<', pEnd - pStart))) {
		if ((pEnd - pTmp - 1) >= (int) sizeof(tmpBuf))
		return FALSE;
		strncpy((char )tmpBuf, (char )(pTmp + 1), pEnd - pTmp - 1);
		tmpBuf[MAX_CONTENT_ID - 1] = 0;

		if (NULL != (pTmp = (uint8_t )memchr((char )tmpBuf, '>', pEnd - pTmp - 1))) {
		*pTmp = '\0';

		memset(pDmInfo->contentID, 0, MAX_CONTENT_ID);
		sprintf((char )pDmInfo->contentID, "%s%s", "cid:", (int8_t )tmpBuf);
		snprintf((char )pDmInfo->contentID, MAX_CONTENT_ID, "%s%s", "cid:", (int8_t )tmpBuf);
		}
		}
		}