Submitted: Terry Farnham ( tfarnham ) - 2011-02-07 09:25:25 PST
Details: The strcmp(pNode->prefix,pCur->prefix) crashes on pCur->prefix
being NULL. This occurs on invalidly formatted xml where a node uses an
undefined namespace. I would expect to receive IXML_FAILED in this
situation.
(cherry picked from commit 2fb791c9bbab69bcb39153a663b8da95ae44a9c0)
Check that newNode is not NULL ixmlNode_cloneNodeTree and pass newAttr
as the return node in the ixmlElement_setAttributeNodeNS call of
ixmlElement_setAttributeNS.
(cherry picked from commit 9b616a08df3613bf27473d176b1b72cd671b75a5)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 04:54:40 PST
If ixmlNode_isParent(nodeptr, newChild) returns TRUE,
ixmlNode_removeChild(nodeptr, newChild, NULL) will free newChild before
the modifications of newChild->nextSibling and newChild->prevSibling.
(cherry picked from commit 4f34a12a83101830e88a6e86013a47f57858d996)
Replace strcpy, sprintf and strcat by strncpy, snprintf and strncat to
avoid buffer overflows.
(forward port of commit 97a17ff5add73c97844e2fa74456bab4df0800f1)
Fix compile error on WIN32.
Local variables must be declared first.
Remove outdated comment.
(forward port of commit 4c3532585df4af55adb661d92788915cfccf52ba)
xmlParser->pCurElement was dereferenced before null check.
Affects debug build only.
(cherry picked from commit 71ab707e817379c45563ca01f2aadc1959b00829)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-07 02:44:30 PST
info->contentType is not freed before being set to NULL.
(forward port of commit 56c26b5199af46de46c1e23992aa1869b4dcebe2)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-07 02:30:57 PST
attr is not freed if ixmlNode_setNodeProperties or
ixmlNode_setAttributeNode return an error in
Parser_processAttributeName.
(cherry picked from commit 268abf72fb63332a4d6185176f2c334926c36eb8)
Removing first TempPtr allocation in unique_service_name as well as one
of the dbgStr allocation in AdvertizeAndReply as those values were not
used.
(cherry picked from commit 7ef089b09a79aa2e596d8ed7a5d04d74159d9882)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-06 07:36:08 PST
Call to strcpy should be replaced by call to memset and strncpy to
avoid getting buffer overflows.
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 14:20:58 PST
fileSize = ftell( xmlFilePtr ); can return a negative value, in this
case the function should exit (at the moment, the function exits only
if ftell returns 0).
(cherry picked from commit a8bcbe94911d13718d07f5dd6f5fdb1f76c58ded)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 12:33:59 PST
Fp is not closed when an error is raised on membuffer_append or
sock_read.
(cherry picked from commit 30badb44c74aefa1c81c63d394079f5fa16c7dc1)
Submitted: Terry Farnham ( tfarnham ) - 2011-06-23 09:45:54 PDT
Details: The following bit of xml results in a memory leak from the xml
parser:
const char *xmlbuffer="<?xml version=\"1.0\" encoding=\"utf-8\"?>
<root xmlns=\"urn:schemas-upnp-org:device-1-0\" xmlns:dlna=\"urn:schemas-dlna-org:device-1-0\">
<dlna:X_DLNADOC xmlns:dlna=\"urn:schemas-dlna-org:device-1-0\">DMS-1.50</dlna:X_DLNADOC></root>";
When I execute the following code:
IXML_Document *doc = ixmlParseBuffer(xmlbuffer);
ixmlDocument_free(doc);
It results in a memory leak in ixmlparser.c line 2107 where it calls
safe_strdup( newElement->namespaceURI ); It's difficult to figure out why.
(cherry picked from commit d6f1e4112ec112a0e4e401fa95589ab5eae000c6)
Submitted: Sunil ( sunilangadi ) - 2011-10-02 08:28:47 PDT
Details: I observed crash in the below mentioned log statement in
function upnpfinish(file: upnpapi.c).
UpnpPrintf(UPNP_INFO, API, __FILE__, __LINE__, "Exiting UpnpFinish:
UpnpSdkInit is :%d:\n", UpnpSdkInit);
In particular it was crashing in ithread_self in
UpnpDisplayFileAndLine(file upnpdebug.c) on WIN32.
Moving the call ithread_cleanup_library() below the upnp printf call
mentioned above in function upnpfinish fixed the crash but I couldn't get
to the root of the problem.
The problem was observed on WIN32.
(cherry picked from commit e5887c9036ed79a741e7383b4d323bf13171f320)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 06:42:18 PST
gIF_IPV4, gIF_IPV6 and gIF_IPV6_ULA_GUA might be not null terminated.
Moreover, gIF_IPV4 should be 16 characters (INET_ADDRSTRLEN) and not 22
and gIF_IPV6 should be 46 characters (INET6_ADDRSTRLEN) and not 65.
(cherry picked from commit f6e88d5b0a9c1e2cb2f6bf5e394f055116071fb7)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 05:51:44 PST
Fp is not closed if fseeko(Fp, Instr->RangeOffset, SEEK_CUR) does not return 0.
(cherry picked from commit 5caaf3ad071e4833aaab74133cc755ce3e917c01)
Initialize also HInfo->ServiceTable in UpnpRegisterRootDevice2 and
UpnpRegisterRootDevice4 functions
(cherry picked from commit 26c3f87eca8922ce594e20e419fbf134b82208a0)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 01:55:54 PST
element was not freed if membuffer_append_str(&url_str, "http://") does
not return 0. Moreover addNew was not used.
(cherry picked from commit da244683cf0ca5cc8e686b64c9afb654cc47bfc2)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 01:31:16 PST
Memsetting to 0 some of the structures: finfo in process_request,
job in readFromSSDPSocket, request in http_OpenHttpGetEx, job in
genaNotifyThread, job in genaNotifyAllExt, job in genaNotifyAll,
job in genaInitNotifyExt, job in genaInitNotify, LocalAddr in
getlocalhostname.
(cherry picked from commit 7301f462690b7c62ed62c94650d95bda1064ecec)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 01:15:34 PST
An out-of-bands access is raised because size of
RespInst->AcceptLanguageHeader is 200 and TmpBuf size is 180.
(cherry picked from commit 69f3fe2330877f05311d6d37eb7f6537e3c2172f)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-02-29 02:09:43 PST
newAttrNode is not freed if newAttr->n.nodeValue = strdup(value); returns
NULL or if ixmlElement_setAttributeNodeNS(element, newAttr, NULL) does
not return IXML_SUCCESS.
(cherry picked from commit a79a149e6a77946701ab32a54eb95f734461ee24)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-02-28 04:27:54 PST
ixmlFreeDOMString(ActNodeName); is called twice if
ixmlParseBufferEx(ActNodeName, RespNode); does not return IXML_SUCCESS.
(cherry picked from commit 0693adc7dc978c6802d62b4368b0e87b6dfd2d6f)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-02-28 04:01:02 PST
There is a memory leak in ixmlDocument_createElementEx:
newElement->tagName is not freed if
newElement->n.nodeName = strdup(tagName); returns NULL.
(cherry picked from commit 076f8e5be6e2813883f2573e3001047a6614799f)
Submitted: Marcelo Roberto jimenez ( mroberto ) - 2012-02-26 16:50:23 PST
src/genlib/net/http/httpparser.c: In function ‘parser_parse_requestline’:
src/genlib/net/http/httpparser.c:1319:28: warning: ‘index’ may be used uninitialized in this function
Submitted: Yoichi NAKAYAMA ( yoichi ) - 2012-02-21 07:06:35 PST
In genaSubscribe() (defined in upnp/src/gena/gena_ctrlpt.c),
ActualSID and EventURL will not be freed if ScheduleGenaAutoRenew
returns UPNP_E_SUCCESS.
This fixes the an issue introduced by the previous fix.
Submitted: Yoichi NAKAYAMA ( yoichi ) - 2012-02-21 07:06:35 PST
In genaSubscribe() (defined in upnp/src/gena/gena_ctrlpt.c),
ActualSID and EventURL will not be freed if ScheduleGenaAutoRenew
returns UPNP_E_SUCCESS.
This fixes the original issue.
(cherry picked from commit bc473d5e68c0d7248c4fffae0579f229357d04cf)
Conflicts:
upnp/src/gena/gena_ctrlpt.c
In genaSubscribe() (defined in upnp/src/gena/gena_ctrlpt.c),
ActualSID and EventURL will not be freed.
(cherry picked from commit 2940cbf94a81bdfebb2e6a61a4d2a5488050748a)
Submitted by Berend Dekens ( Berend Dekens ) - 2012-02-08 06:24:31 PST
In httpparser.c on line 1385 it says that HTTP 1.0 replies are blocked
because the UPnP verfication tool requires this.
I looked in the specs and as far as I can find, one should only be
carefull to send chunked communication to hosts supporting HTTP 1.1.
There is no requirement to support only HTTP 1.1.
The XBMC media server uses the Platinum UPnP library which replies
using HTTP/1.0 messages. As it is now, libupnp returns an error while
trying to parse the response while the response itself is completely
valid.
Is there a requirement in the UPnP 1.0 spec that I missed or is this
restriction self-imposed? And can it be lifted?
-------------------------------------------------------------------
Comment by Fabrice Fontaine:
Hide
Hi,
You're right, this modification should be removed. This version checking
was wrongly added in parser_parse_responseline function.
...
(cherry picked from commit d87c966ec5f17d5fbef1b409f426c0d70cd6231f)
Attached is a patch that resolved an issue I found with a server that
gave its device description URI without a trailing slash (e.g.
`http://127.0.0.1:5555`).
(cherry picked from commit a9c24fc7f327adefc5708e4565d15d65c49224ab)
