Fix the snprintf size issue.

2025-03-09 15:49:59 +00:00 · 2022-08-10 08:32:02 +08:00 · 2022-08-10 08:32:02 +08:00 · a71eddd56a
commit a71eddd56a
parent 1ab584b2ae
10 changed files with 46 additions and 17 deletions
--- a/trunk/src/protocol/srs_protocol_http_conn.cpp
+++ b/trunk/src/protocol/srs_protocol_http_conn.cpp
@ -773,6 +773,9 @@ srs_error_t SrsHttpResponseWriter::write(char* data, int size)
    
    // send in chunked encoding.
    int nb_size = snprintf(header_cache, SRS_HTTP_HEADER_CACHE_SIZE, "%x", size);
+    if (nb_size <= 0 || nb_size >= SRS_HTTP_HEADER_CACHE_SIZE) {
+        return srs_error_new(ERROR_HTTP_CONTENT_LENGTH, "overflow size=%d, expect=%d", size, nb_size);
+    }
    
    iovec iovs[4];
    iovs[0].iov_base = (char*)header_cache;
@ -842,6 +845,9 @@ srs_error_t SrsHttpResponseWriter::writev(const iovec* iov, int iovcnt, ssize_t*
    
    // chunk header
    int nb_size = snprintf(header_cache, SRS_HTTP_HEADER_CACHE_SIZE, "%x", size);
+    if (nb_size <= 0 || nb_size >= SRS_HTTP_HEADER_CACHE_SIZE) {
+        return srs_error_new(ERROR_HTTP_CONTENT_LENGTH, "overflow size=%d, expect=%d", size, nb_size);
+    }
    iovss[0].iov_base = (char*)header_cache;
    iovss[0].iov_len = (int)nb_size;

--- a/trunk/src/protocol/srs_protocol_json.cpp
+++ b/trunk/src/protocol/srs_protocol_json.cpp
@ -1582,8 +1582,8 @@ string SrsJsonAny::dumps()
        }
        case SRS_JSON_Number: {
            // len(max int64_t) is 20, plus one "+-."
-            char tmp[22];
-            snprintf(tmp, 22, "%.2f", to_number());
+            char tmp[21 + 1];
+            snprintf(tmp, sizeof(tmp), "%.2f", to_number());
            return tmp;
        }
        case SRS_JSON_Null: {
--- a/trunk/src/protocol/srs_protocol_rtmp_handshake.cpp
+++ b/trunk/src/protocol/srs_protocol_rtmp_handshake.cpp
@ -962,7 +962,7 @@ namespace srs_internal
        srs_random_generate(random, 1504);
        
        int size = snprintf(random, 1504, "%s", RTMP_SIG_SRS_HANDSHAKE);
-        srs_assert(size < 1504);
+        srs_assert(size > 0 && size < 1504);
        snprintf(random + 1504 - size, size, "%s", RTMP_SIG_SRS_HANDSHAKE);
        
        srs_random_generate(digest, 32);
--- a/trunk/src/protocol/srs_protocol_srt.cpp
+++ b/trunk/src/protocol/srs_protocol_srt.cpp
@ -170,7 +170,8 @@ srs_error_t srs_srt_listen(srs_srt_t srt_fd, std::string ip, int port)
    srs_error_t err = srs_success;

    char sport[8];
-    snprintf(sport, sizeof(sport), "%d", port);
+    int r0 = snprintf(sport, sizeof(sport), "%d", port);
+    srs_assert(r0 > 0 && r0 < sizeof(sport));

    addrinfo hints;
    memset(&hints, 0, sizeof(hints));
--- a/trunk/src/protocol/srs_protocol_st.cpp
+++ b/trunk/src/protocol/srs_protocol_st.cpp
@ -175,7 +175,8 @@ srs_error_t srs_tcp_connect(string server, int port, srs_utime_t tm, srs_netfd_t
    srs_netfd_t stfd = NULL;

    char sport[8];
-    snprintf(sport, sizeof(sport), "%d", port);
+    int r0 = snprintf(sport, sizeof(sport), "%d", port);
+    srs_assert(r0 > 0 && r0 < sizeof(sport));
    
    addrinfo hints;
    memset(&hints, 0, sizeof(hints));
@ -251,7 +252,8 @@ srs_error_t srs_tcp_listen(std::string ip, int port, srs_netfd_t* pfd)
    srs_error_t err = srs_success;

    char sport[8];
-    snprintf(sport, sizeof(sport), "%d", port);
+    int r0 = snprintf(sport, sizeof(sport), "%d", port);
+    srs_assert(r0 > 0 && r0 < sizeof(sport));

    addrinfo hints;
    memset(&hints, 0, sizeof(hints));
@ -312,7 +314,8 @@ srs_error_t srs_udp_listen(std::string ip, int port, srs_netfd_t* pfd)
    srs_error_t err = srs_success;

    char sport[8];
-    snprintf(sport, sizeof(sport), "%d", port);
+    int r0 = snprintf(sport, sizeof(sport), "%d", port);
+    srs_assert(r0 > 0 && r0 < sizeof(sport));

    addrinfo hints;
    memset(&hints, 0, sizeof(hints));