1 From c4d34984ec92b3d5252a7d5cddd85a1d3a8001ae Mon Sep 17 00:00:00 2001
2 From: sauwming <ming@teluu.com>
3 Date: Mon, 3 Oct 2022 08:07:22 +0800
4 Subject: [PATCH] Merge pull request from GHSA-fq45-m3f7-3mhj
8 * Use 'pj_scan_is_eof(scanner)'
10 Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>
12 * Use 'pj_scan_is_eof(scanner)'
14 Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>
16 * Use 'pj_scan_is_eof(scanner)'
18 Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>
20 * Use `!pj_scan_is_eof` instead of manually checking `scanner->curptr < scanner->end`
22 Co-authored-by: Maksim Mukosey <mmukosey@gmail.com>
24 * Update pjlib-util/src/pjlib-util/scanner.c
26 Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>
28 * Update pjlib-util/src/pjlib-util/scanner.c
30 Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>
32 * Update pjlib-util/src/pjlib-util/scanner.c
34 Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>
36 * Revert '>=' back to '>' in pj_scan_stricmp_alnum()
40 Co-authored-by: Nanang Izzuddin <nanang@teluu.com>
41 Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>
42 Co-authored-by: Maksim Mukosey <mmukosey@gmail.com>
44 pjlib-util/src/pjlib-util/scanner.c | 41 +++++++++++++++++++----------
45 pjmedia/src/pjmedia/rtp.c | 11 +++++---
46 pjmedia/src/pjmedia/sdp.c | 24 ++++++++++-------
47 3 files changed, 48 insertions(+), 28 deletions(-)
49 --- a/pjlib-util/src/pjlib-util/scanner.c
50 +++ b/pjlib-util/src/pjlib-util/scanner.c
51 @@ -195,7 +195,13 @@ PJ_DEF(void) pj_scan_skip_whitespace( pj
53 PJ_DEF(void) pj_scan_skip_line( pj_scanner *scanner )
55 - char *s = pj_memchr(scanner->curptr, '\n', scanner->end - scanner->curptr);
58 + if (pj_scan_is_eof(scanner)) {
62 + s = pj_memchr(scanner->curptr, '\n', scanner->end - scanner->curptr);
64 scanner->curptr = scanner->end;
66 @@ -264,8 +270,7 @@ PJ_DEF(void) pj_scan_get( pj_scanner *sc
68 pj_assert(pj_cis_match(spec,0)==0);
70 - /* EOF is detected implicitly */
71 - if (!pj_cis_match(spec, *s)) {
72 + if (pj_scan_is_eof(scanner) || !pj_cis_match(spec, *s)) {
73 pj_scan_syntax_err(scanner);
76 @@ -299,8 +304,7 @@ PJ_DEF(void) pj_scan_get_unescape( pj_sc
77 /* Must not match character '%' */
78 pj_assert(pj_cis_match(spec,'%')==0);
80 - /* EOF is detected implicitly */
81 - if (!pj_cis_match(spec, *s) && *s != '%') {
82 + if (pj_scan_is_eof(scanner) || !pj_cis_match(spec, *s) && *s != '%') {
83 pj_scan_syntax_err(scanner);
86 @@ -436,7 +440,9 @@ PJ_DEF(void) pj_scan_get_n( pj_scanner *
90 - if (PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && scanner->skip_ws) {
91 + if (!pj_scan_is_eof(scanner) &&
92 + PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && scanner->skip_ws)
94 pj_scan_skip_whitespace(scanner);
97 @@ -467,15 +473,16 @@ PJ_DEF(int) pj_scan_get_char( pj_scanner
99 PJ_DEF(void) pj_scan_get_newline( pj_scanner *scanner )
101 - if (!PJ_SCAN_IS_NEWLINE(*scanner->curptr)) {
102 + if (pj_scan_is_eof(scanner) || !PJ_SCAN_IS_NEWLINE(*scanner->curptr)) {
103 pj_scan_syntax_err(scanner);
107 + /* We have checked scanner->curptr validity above */
108 if (*scanner->curptr == '\r') {
111 - if (*scanner->curptr == '\n') {
112 + if (!pj_scan_is_eof(scanner) && *scanner->curptr == '\n') {
116 @@ -520,7 +527,9 @@ PJ_DEF(void) pj_scan_get_until( pj_scann
120 - if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {
121 + if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&
124 pj_scan_skip_whitespace(scanner);
127 @@ -544,7 +553,9 @@ PJ_DEF(void) pj_scan_get_until_ch( pj_sc
131 - if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {
132 + if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&
135 pj_scan_skip_whitespace(scanner);
138 @@ -570,7 +581,9 @@ PJ_DEF(void) pj_scan_get_until_chr( pj_s
142 - if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {
143 + if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&
146 pj_scan_skip_whitespace(scanner);
149 @@ -585,7 +598,9 @@ PJ_DEF(void) pj_scan_advance_n( pj_scann
151 scanner->curptr += N;
153 - if (PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && skip_ws) {
154 + if (!pj_scan_is_eof(scanner) &&
155 + PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && skip_ws)
157 pj_scan_skip_whitespace(scanner);
160 @@ -636,5 +651,3 @@ PJ_DEF(void) pj_scan_restore_state( pj_s
161 scanner->line = state->line;
162 scanner->start_line = state->start_line;
166 --- a/pjmedia/src/pjmedia/rtp.c
167 +++ b/pjmedia/src/pjmedia/rtp.c
168 @@ -188,6 +188,11 @@ PJ_DEF(pj_status_t) pjmedia_rtp_decode_r
169 /* Payload is located right after header plus CSRC */
170 offset = sizeof(pjmedia_rtp_hdr) + ((*hdr)->cc * sizeof(pj_uint32_t));
172 + /* Check that offset is less than packet size */
173 + if (offset >= pkt_len) {
174 + return PJMEDIA_RTP_EINLEN;
177 /* Decode RTP extension. */
179 if (offset + sizeof (pjmedia_rtp_ext_hdr) > (unsigned)pkt_len)
180 @@ -202,8 +207,8 @@ PJ_DEF(pj_status_t) pjmedia_rtp_decode_r
181 dec_hdr->ext_len = 0;
184 - /* Check that offset is less than packet size */
185 - if (offset > pkt_len)
186 + /* Check again that offset is still less than packet size */
187 + if (offset >= pkt_len)
188 return PJMEDIA_RTP_EINLEN;
190 /* Find and set payload. */
191 @@ -393,5 +398,3 @@ void pjmedia_rtp_seq_update( pjmedia_rtp
192 seq_status->status.value = st.status.value;
197 --- a/pjmedia/src/pjmedia/sdp.c
198 +++ b/pjmedia/src/pjmedia/sdp.c
199 @@ -983,13 +983,13 @@ static void parse_version(pj_scanner *sc
200 ctx->last_error = PJMEDIA_SDP_EINVER;
202 /* check equal sign */
203 - if (*(scanner->curptr+1) != '=') {
204 + if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
205 on_scanner_error(scanner);
209 /* check version is 0 */
210 - if (*(scanner->curptr+2) != '0') {
211 + if (scanner->curptr+2 >= scanner->end || *(scanner->curptr+2) != '0') {
212 on_scanner_error(scanner);
215 @@ -1006,7 +1006,7 @@ static void parse_origin(pj_scanner *sca
216 ctx->last_error = PJMEDIA_SDP_EINORIGIN;
218 /* check equal sign */
219 - if (*(scanner->curptr+1) != '=') {
220 + if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
221 on_scanner_error(scanner);
224 @@ -1052,7 +1052,7 @@ static void parse_time(pj_scanner *scann
225 ctx->last_error = PJMEDIA_SDP_EINTIME;
227 /* check equal sign */
228 - if (*(scanner->curptr+1) != '=') {
229 + if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
230 on_scanner_error(scanner);
233 @@ -1080,7 +1080,7 @@ static void parse_generic_line(pj_scanne
234 ctx->last_error = PJMEDIA_SDP_EINSDP;
236 /* check equal sign */
237 - if (*(scanner->curptr+1) != '=') {
238 + if ((scanner->curptr+1 >= scanner->end) || *(scanner->curptr+1) != '=') {
239 on_scanner_error(scanner);
242 @@ -1149,7 +1149,7 @@ static void parse_media(pj_scanner *scan
243 ctx->last_error = PJMEDIA_SDP_EINMEDIA;
245 /* check the equal sign */
246 - if (*(scanner->curptr+1) != '=') {
247 + if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
248 on_scanner_error(scanner);
251 @@ -1164,6 +1164,10 @@ static void parse_media(pj_scanner *scan
253 pj_scan_get(scanner, &cs_token, &str);
254 med->desc.port = (unsigned short)pj_strtoul(&str);
255 + if (pj_scan_is_eof(scanner)) {
256 + on_scanner_error(scanner);
259 if (*scanner->curptr == '/') {
261 pj_scan_get_char(scanner);
262 @@ -1175,7 +1179,7 @@ static void parse_media(pj_scanner *scan
265 if (pj_scan_get_char(scanner) != ' ') {
266 - PJ_THROW(SYNTAX_ERROR);
267 + on_scanner_error(scanner);
271 @@ -1183,7 +1187,7 @@ static void parse_media(pj_scanner *scan
274 med->desc.fmt_count = 0;
275 - while (*scanner->curptr == ' ') {
276 + while (scanner->curptr < scanner->end && *scanner->curptr == ' ') {
279 pj_scan_get_char(scanner);
280 @@ -1223,7 +1227,7 @@ static pjmedia_sdp_attr *parse_attr( pj_
281 attr = PJ_POOL_ALLOC_T(pool, pjmedia_sdp_attr);
283 /* check equal sign */
284 - if (*(scanner->curptr+1) != '=') {
285 + if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
286 on_scanner_error(scanner);
289 @@ -1242,7 +1246,7 @@ static pjmedia_sdp_attr *parse_attr( pj_
290 pj_scan_get_char(scanner);
293 - if (*scanner->curptr != '\r' && *scanner->curptr != '\n') {
294 + if (!pj_scan_is_eof(scanner) && *scanner->curptr != '\r' && *scanner->curptr != '\n') {
295 pj_scan_get_until_chr(scanner, "\r\n", &attr->value);
297 attr->value.ptr = NULL;