From 27f12c173d57d09d095d0e5ecfeb18acf5d2434a Mon Sep 17 00:00:00 2001
From: Max Kellermann <max@duempel.org>
Date: Wed, 26 Mar 2008 10:38:07 +0000
Subject: use size_t

When dealing with in-memory lengths, the standard type "size_t" should
be used.  Missing one can be quite dangerous, because an attacker
could provoke an integer under-/overflow, which may provide an attack
vector.

git-svn-id: https://svn.musicpd.org/mpd/trunk@7205 09075e82-0dd4-0310-85a5-a0d7c8717e4f
---
 src/inputStream_http.c | 37 ++++++++++++++++++-------------------
 1 file changed, 18 insertions(+), 19 deletions(-)

(limited to 'src/inputStream_http.c')

diff --git a/src/inputStream_http.c b/src/inputStream_http.c
index c5dccf9dd..9e9bbc921 100644
--- a/src/inputStream_http.c
+++ b/src/inputStream_http.c
@@ -40,8 +40,8 @@ static char *proxyHost;
 static char *proxyPort;
 static char *proxyUser;
 static char *proxyPassword;
-static int bufferSize = HTTP_BUFFER_SIZE_DEFAULT;
-static int prebufferSize = HTTP_PREBUFFER_SIZE_DEFAULT;
+static size_t bufferSize = HTTP_BUFFER_SIZE_DEFAULT;
+static size_t prebufferSize = HTTP_PREBUFFER_SIZE_DEFAULT;
 
 typedef struct _InputStreemHTTPData {
 	char *host;
@@ -52,9 +52,9 @@ typedef struct _InputStreemHTTPData {
 	char *buffer;
 	size_t buflen;
 	int timesRedirected;
-	int icyMetaint;
+	size_t icyMetaint;
 	int prebuffer;
-	int icyOffset;
+	size_t icyOffset;
 	char *proxyAuth;
 	char *httpAuth;
     /* Number of times mpd tried to get data */
@@ -113,9 +113,9 @@ void inputStream_initHttp(void)
 	param = getConfigParam(CONF_HTTP_BUFFER_SIZE);
 
 	if (param) {
-		bufferSize = strtol(param->value, &test, 10);
+		bufferSize = strtoul(param->value, &test, 10);
 
-		if (bufferSize <= 0 || *test != '\0') {
+		if (*test != '\0') {
 			FATAL("\"%s\" specified for %s at line %i is not a "
 			      "positive integer\n",
 			      param->value, CONF_HTTP_BUFFER_SIZE, param->line);
@@ -130,7 +130,7 @@ void inputStream_initHttp(void)
 	param = getConfigParam(CONF_HTTP_PREBUFFER_SIZE);
 
 	if (param) {
-		prebufferSize = strtol(param->value, &test, 10);
+		prebufferSize = strtoul(param->value, &test, 10);
 
 		if (prebufferSize <= 0 || *test != '\0') {
 			FATAL("\"%s\" specified for %s at line %i is not a "
@@ -430,7 +430,8 @@ static int finishHTTPInit(InputStream * inStream)
 	int error;
 	socklen_t error_len = sizeof(int);
 	int ret;
-	int length;
+	size_t length;
+	ssize_t nbytes;
 	char request[2048];
 
 	tv.tv_sec = 0;
@@ -456,7 +457,7 @@ static int finishHTTPInit(InputStream * inStream)
 		goto close_err;
 
 	/* deal with ICY metadata later, for now its fucking up stuff! */
-	length = snprintf(request, sizeof(request),
+	length = (size_t)snprintf(request, sizeof(request),
 	                 "GET %s HTTP/1.1\r\n"
 	                 "Host: %s\r\n"
 	                 "Connection: close\r\n"
@@ -473,8 +474,8 @@ static int finishHTTPInit(InputStream * inStream)
 
 	if (length >= sizeof(request))
 		goto close_err;
-	ret = write(data->sock, request, length);
-	if (ret != length)
+	nbytes = write(data->sock, request, length);
+	if (nbytes < 0 || (size_t)nbytes != length)
 		goto close_err;
 
 	data->connState = HTTP_CONN_STATE_HELLO;
@@ -607,7 +608,7 @@ static int getHTTPHello(InputStream * inStream)
 			if (!inStream->size)
 				inStream->size = atol(cur + 18);
 		} else if (0 == strncasecmp(cur, "\r\nicy-metaint:", 14)) {
-			data->icyMetaint = atoi(cur + 14);
+			data->icyMetaint = strtoul(cur + 14, NULL, 0);
 		} else if (0 == strncasecmp(cur, "\r\nicy-name:", 11) ||
 			   0 == strncasecmp(cur, "\r\nice-name:", 11)) {
 			int incr = 11;
@@ -753,9 +754,9 @@ size_t inputStream_httpRead(InputStream * inStream, void *ptr, size_t size,
 			    size_t nmemb)
 {
 	InputStreamHTTPData *data = (InputStreamHTTPData *) inStream->data;
-	long tosend = 0;
-	long inlen = size * nmemb;
-	long maxToSend = data->buflen;
+	size_t tosend = 0;
+	size_t inlen = size * nmemb;
+	size_t maxToSend = data->buflen;
 
 	inputStream_httpBuffer(inStream);
 
@@ -774,10 +775,8 @@ size_t inputStream_httpRead(InputStream * inStream, void *ptr, size_t size,
 
 	if (data->icyMetaint > 0) {
 		if (data->icyOffset >= data->icyMetaint) {
-			int metalen = *(data->buffer);
+			size_t metalen = *(data->buffer);
 			metalen <<= 4;
-			if (metalen < 0)
-				metalen = 0;
 			if (metalen + 1 > data->buflen) {
 				/* damn that's some fucking big metadata! */
 				if (bufferSize < metalen + 1) {
@@ -879,7 +878,7 @@ int inputStream_httpBuffer(InputStream * inStream)
 	if (data->connState == HTTP_CONN_STATE_OPEN &&
 	    data->buflen < bufferSize - 1) {
 		readed = read(data->sock, data->buffer + data->buflen,
-			      (size_t) (bufferSize - 1 - data->buflen));
+			      bufferSize - 1 - data->buflen);
         /* If the connection is currently unavailable, or interrupted (EINTR)
          * Don't give an error, so it's retried later.
          * Max times in a row to re-try this is HTTP_MAX_TRIES
-- 
cgit v1.2.3