From 79ae795c797bae0d6fe94ff0238e082c582eb768 Mon Sep 17 00:00:00 2001
From: Carl Hetherington <cth@carlh.net>
Date: Sat, 28 Oct 2023 23:03:24 +0200
Subject: Check some unsanitized network inputs before allocating memory using
 them.

---
 src/lib/encode_server.cc        |  4 ++++
 src/lib/encode_server_finder.cc |  5 +++++
 src/tools/dcpomatic_batch.cc    | 14 ++++++++------
 src/tools/dcpomatic_player.cc   |  5 ++++-
 4 files changed, 21 insertions(+), 7 deletions(-)

(limited to 'src')

diff --git a/src/lib/encode_server.cc b/src/lib/encode_server.cc
index 6501dcde1..036ea58a5 100644
--- a/src/lib/encode_server.cc
+++ b/src/lib/encode_server.cc
@@ -126,6 +126,10 @@ EncodeServer::process (shared_ptr<Socket> socket, struct timeval& after_read, st
 	Socket::ReadDigestScope ds (socket);
 
 	auto length = socket->read_uint32 ();
+	if (length > 65536) {
+		throw NetworkError("Malformed encode request (too large)");
+	}
+
 	scoped_array<char> buffer (new char[length]);
 	socket->read (reinterpret_cast<uint8_t*>(buffer.get()), length);
 
diff --git a/src/lib/encode_server_finder.cc b/src/lib/encode_server_finder.cc
index 3f5cb74f0..1d4ced595 100644
--- a/src/lib/encode_server_finder.cc
+++ b/src/lib/encode_server_finder.cc
@@ -227,6 +227,11 @@ EncodeServerFinder::handle_accept (boost::system::error_code ec)
 		_accept_socket->read (reinterpret_cast<uint8_t*>(&length), sizeof(uint32_t));
 		length = ntohl (length);
 
+		if (length > 65536) {
+			start_accept();
+			return;
+		}
+
 		scoped_array<char> buffer(new char[length]);
 		_accept_socket->read (reinterpret_cast<uint8_t*>(buffer.get()), length);
 		server_available = buffer.get();
diff --git a/src/tools/dcpomatic_batch.cc b/src/tools/dcpomatic_batch.cc
index dc092bf8c..3114768ac 100644
--- a/src/tools/dcpomatic_batch.cc
+++ b/src/tools/dcpomatic_batch.cc
@@ -402,12 +402,14 @@ public:
 	void handle (shared_ptr<Socket> socket) override
 	{
 		try {
-			int const length = socket->read_uint32 ();
-			scoped_array<char> buffer(new char[length]);
-			socket->read (reinterpret_cast<uint8_t*>(buffer.get()), length);
-			string s (buffer.get());
-			emit(boost::bind(boost::ref(StartJob), s));
-			socket->write (reinterpret_cast<uint8_t const *>("OK"), 3);
+			auto const length = socket->read_uint32();
+			if (length < 65536) {
+				scoped_array<char> buffer(new char[length]);
+				socket->read(reinterpret_cast<uint8_t*>(buffer.get()), length);
+				string s(buffer.get());
+				emit(boost::bind(boost::ref(StartJob), s));
+				socket->write (reinterpret_cast<uint8_t const *>("OK"), 3);
+			}
 		} catch (...) {
 
 		}
diff --git a/src/tools/dcpomatic_player.cc b/src/tools/dcpomatic_player.cc
index 88b0f839d..5dd0a0afe 100644
--- a/src/tools/dcpomatic_player.cc
+++ b/src/tools/dcpomatic_player.cc
@@ -1140,7 +1140,10 @@ public:
 	void handle (shared_ptr<Socket> socket) override
 	{
 		try {
-			int const length = socket->read_uint32 ();
+			uint32_t const length = socket->read_uint32 ();
+			if (length > 65536) {
+				return;
+			}
 			scoped_array<char> buffer (new char[length]);
 			socket->read (reinterpret_cast<uint8_t*> (buffer.get()), length);
 			string s (buffer.get());
-- 
cgit v1.2.3