Remove more "implicit integer or enum conversions" as well as memset
before snprintf.
(forward port of commit 2eb3e069badd5c8676738c3ead37f9551fd8448e)
There was a problem in HDR_ACCEPT_LANGUAGE case.
It may read from TmpBuf larger amount than allocated,
since condition was always true.
Terminate RespInstr->AcceptLanguageHeader correctly.
Skip allocation if there is already sufficient buffer.
(cherry picked from commit db532afb9bd7b870585705701b32dee441a5f6cb)
Remove some of the "implicit integer or enum conversions" as well as
some access to NULL reference in upnp part.
(forward port of commit c67187ac94f25ae23b286a1521d968911edba61d)
Respect unique_service_name error in ssdp_request_type
so as not to touch non-terminated buffer under Evt.
(cherry picked from commit 5944960e172a797a9fcc196291f4046cafa7f6ec)
Pass output buffer size to addrToString and detect overflow.
Handle addrToString error in configure_urlbase.
(cherry picked from commit 56b44fee914738eb9e8bddc5fce768e2dbc4db12)
Pass output buffer size to CreateClientRequestPacket(UlaGua)
from SearchByTarget and detect overflow.
Handle SearchByTarget error in UpnpSearchAsync.
(cherry picked from commit ff635f92c08cf8f7ebca973450bd79feacb2e0b1)
Do not compile most of service_table.c and client_table.c if
--disable-gena is used.
Do not compile urlconfig.c if --disable-webserver is used.
Adding new UPNP_HAVE_xxx variables in upnpconfig.h and upnpconfig.h.in.
(forward port of commit bb140000c042b670211d5113bc54dd4e50e93c0e)
Remove "dereference NULL return" errors and implicit conversions to
double or enum types.
(cherry picked from commit 77c73884b81c887e24c2069d9528706c6caf3235)
Submitted: Yoichi NAKAYAMA ( yoichi ) - 2012-03-08 10:18:39 PST
97a17ff5add73c97844e2fa74456bab4df0800f1 commit breaks build on
windows/msvc since there is no snprintf.
Note:
* Some existing sources use _snprintf when WIN32 is defined, but its
behavior is a bit different from C99 snprintf.
* snprintf does terminate the buffer, so the commit (use buffer size
minus 1 as argument) changes the behavior at the boundary.
* Truncation might be better than crash in some cases. But it may
result in not good.
(forward port of commit e722d8c375dc50b855b41cd56e2fc3d70af4201e)
Submitted: Marcelo Roberto Jimenez ( mroberto ) - 2012-03-08 12:38:57 PST
src/api/upnpapi.c: In function ‘UpnpUnSubscribeAsync’:
src/api/upnpapi.c:2060:6: warning: ‘retVal’ may be used uninitialized in this function
(cherry picked from commit 29ee36b1cad224015d70848df398d4d62f3d1937)
Submitted: Terry Farnham ( tfarnham ) - 2011-02-07 09:25:25 PST
Details: The strcmp(pNode->prefix,pCur->prefix) crashes on pCur->prefix
being NULL. This occurs on invalidly formatted xml where a node uses an
undefined namespace. I would expect to receive IXML_FAILED in this
situation.
(cherry picked from commit 2fb791c9bbab69bcb39153a663b8da95ae44a9c0)
Check that newNode is not NULL ixmlNode_cloneNodeTree and pass newAttr
as the return node in the ixmlElement_setAttributeNodeNS call of
ixmlElement_setAttributeNS.
(cherry picked from commit 9b616a08df3613bf27473d176b1b72cd671b75a5)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 04:54:40 PST
If ixmlNode_isParent(nodeptr, newChild) returns TRUE,
ixmlNode_removeChild(nodeptr, newChild, NULL) will free newChild before
the modifications of newChild->nextSibling and newChild->prevSibling.
(cherry picked from commit 4f34a12a83101830e88a6e86013a47f57858d996)
Replace strcpy, sprintf and strcat by strncpy, snprintf and strncat to
avoid buffer overflows.
(forward port of commit 97a17ff5add73c97844e2fa74456bab4df0800f1)
Fix compile error on WIN32.
Local variables must be declared first.
Remove outdated comment.
(forward port of commit 4c3532585df4af55adb661d92788915cfccf52ba)
xmlParser->pCurElement was dereferenced before null check.
Affects debug build only.
(cherry picked from commit 71ab707e817379c45563ca01f2aadc1959b00829)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-07 02:44:30 PST
info->contentType is not freed before being set to NULL.
(forward port of commit 56c26b5199af46de46c1e23992aa1869b4dcebe2)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-07 02:30:57 PST
attr is not freed if ixmlNode_setNodeProperties or
ixmlNode_setAttributeNode return an error in
Parser_processAttributeName.
(cherry picked from commit 268abf72fb63332a4d6185176f2c334926c36eb8)
Removing first TempPtr allocation in unique_service_name as well as one
of the dbgStr allocation in AdvertizeAndReply as those values were not
used.
(cherry picked from commit 7ef089b09a79aa2e596d8ed7a5d04d74159d9882)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-06 07:36:08 PST
Call to strcpy should be replaced by call to memset and strncpy to
avoid getting buffer overflows.
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 14:20:58 PST
fileSize = ftell( xmlFilePtr ); can return a negative value, in this
case the function should exit (at the moment, the function exits only
if ftell returns 0).
(cherry picked from commit a8bcbe94911d13718d07f5dd6f5fdb1f76c58ded)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 12:33:59 PST
Fp is not closed when an error is raised on membuffer_append or
sock_read.
(cherry picked from commit 30badb44c74aefa1c81c63d394079f5fa16c7dc1)
Submitted: Terry Farnham ( tfarnham ) - 2011-06-23 09:45:54 PDT
Details: The following bit of xml results in a memory leak from the xml
parser:
const char *xmlbuffer="<?xml version=\"1.0\" encoding=\"utf-8\"?>
<root xmlns=\"urn:schemas-upnp-org:device-1-0\" xmlns:dlna=\"urn:schemas-dlna-org:device-1-0\">
<dlna:X_DLNADOC xmlns:dlna=\"urn:schemas-dlna-org:device-1-0\">DMS-1.50</dlna:X_DLNADOC></root>";
When I execute the following code:
IXML_Document *doc = ixmlParseBuffer(xmlbuffer);
ixmlDocument_free(doc);
It results in a memory leak in ixmlparser.c line 2107 where it calls
safe_strdup( newElement->namespaceURI ); It's difficult to figure out why.
(cherry picked from commit d6f1e4112ec112a0e4e401fa95589ab5eae000c6)
Submitted: Sunil ( sunilangadi ) - 2011-10-02 08:28:47 PDT
Details: I observed crash in the below mentioned log statement in
function upnpfinish(file: upnpapi.c).
UpnpPrintf(UPNP_INFO, API, __FILE__, __LINE__, "Exiting UpnpFinish:
UpnpSdkInit is :%d:\n", UpnpSdkInit);
In particular it was crashing in ithread_self in
UpnpDisplayFileAndLine(file upnpdebug.c) on WIN32.
Moving the call ithread_cleanup_library() below the upnp printf call
mentioned above in function upnpfinish fixed the crash but I couldn't get
to the root of the problem.
The problem was observed on WIN32.
(cherry picked from commit e5887c9036ed79a741e7383b4d323bf13171f320)
