Skip to content

Commit 218fca8

Browse files
EmmanuelPEmmanuelP
committed
gvsp: out of bound checks
1 parent 62ad4d4 commit 218fca8

File tree

3 files changed

+332
-228
lines changed

3 files changed

+332
-228
lines changed

src/arvgvsp.c

+27-14
Original file line numberDiff line numberDiff line change
@@ -73,14 +73,18 @@ arv_gvsp_packet_new_image_leader (guint16 frame_id, guint32 packet_id,
7373
void *buffer, size_t *buffer_size)
7474
{
7575
ArvGvspPacket *packet;
76+
size_t packet_size;
7677

7778
packet = arv_gvsp_packet_new (ARV_GVSP_CONTENT_TYPE_LEADER,
78-
frame_id, packet_id, sizeof (ArvGvspImageLeader), buffer, buffer_size);
79+
frame_id, packet_id, sizeof (ArvGvspImageLeader), buffer, &packet_size);
80+
81+
if (buffer_size != NULL)
82+
*buffer_size = packet_size;
7983

8084
if (packet != NULL) {
8185
ArvGvspImageLeader *leader;
8286

83-
leader = arv_gvsp_packet_get_data (packet);
87+
leader = arv_gvsp_packet_get_data (packet, packet_size);
8488
leader->flags = 0;
8589
leader->payload_type = g_htons (ARV_BUFFER_PAYLOAD_TYPE_IMAGE);
8690
leader->timestamp_high = g_htonl (((guint64) timestamp >> 32));
@@ -102,14 +106,18 @@ arv_gvsp_packet_new_data_trailer (guint16 frame_id, guint32 packet_id,
102106
void *buffer, size_t *buffer_size)
103107
{
104108
ArvGvspPacket *packet;
109+
size_t packet_size;
105110

106111
packet = arv_gvsp_packet_new (ARV_GVSP_CONTENT_TYPE_TRAILER,
107-
frame_id, packet_id, sizeof (ArvGvspTrailer), buffer, buffer_size);
112+
frame_id, packet_id, sizeof (ArvGvspTrailer), buffer, &packet_size);
113+
114+
if (buffer_size != NULL)
115+
*buffer_size = packet_size;
108116

109117
if (packet != NULL) {
110118
ArvGvspTrailer *trailer;
111119

112-
trailer = arv_gvsp_packet_get_data (packet);
120+
trailer = arv_gvsp_packet_get_data (packet, packet_size);
113121
trailer->payload_type = g_htonl (ARV_BUFFER_PAYLOAD_TYPE_IMAGE);
114122
trailer->data0 = 0;
115123
}
@@ -123,12 +131,16 @@ arv_gvsp_packet_new_payload (guint16 frame_id, guint32 packet_id,
123131
void *buffer, size_t *buffer_size)
124132
{
125133
ArvGvspPacket *packet;
134+
size_t packet_size;
126135

127136
packet = arv_gvsp_packet_new (ARV_GVSP_CONTENT_TYPE_PAYLOAD,
128-
frame_id, packet_id, size, buffer, buffer_size);
137+
frame_id, packet_id, size, buffer, &packet_size);
138+
139+
if (buffer_size != NULL)
140+
*buffer_size = packet_size;
129141

130142
if (packet != NULL)
131-
memcpy (arv_gvsp_packet_get_data (packet), data, size);
143+
memcpy (arv_gvsp_packet_get_data (packet, packet_size), data, size);
132144

133145
return packet;
134146
}
@@ -177,23 +189,23 @@ arv_gvsp_packet_to_string (const ArvGvspPacket *packet, size_t packet_size)
177189
string = g_string_new ("");
178190

179191
packet_status = arv_gvsp_packet_get_status (packet, packet_size);
180-
content_type = arv_gvsp_packet_get_content_type (packet);
192+
content_type = arv_gvsp_packet_get_content_type (packet, packet_size);
181193

182194
g_string_append_printf (string, "packet_type = %8s (0x%04x)\n",
183195
arv_gvsp_packet_status_to_string (packet_status), packet_status);
184196
g_string_append_printf (string, "content_type = %8s (0x%04x)\n",
185197
arv_gvsp_content_type_to_string (content_type), content_type);
186198
g_string_append_printf (string, "frame_id = %8" G_GUINT64_FORMAT " %s\n",
187-
arv_gvsp_packet_get_frame_id (packet),
188-
arv_gvsp_packet_has_extended_ids (packet) ? " extended" : "");
199+
arv_gvsp_packet_get_frame_id (packet, packet_size),
200+
arv_gvsp_packet_has_extended_ids (packet, packet_size) ? " extended" : "");
189201
g_string_append_printf (string, "packet_id = %8u\n",
190-
arv_gvsp_packet_get_packet_id (packet));
202+
arv_gvsp_packet_get_packet_id (packet, packet_size));
191203
g_string_append_printf (string, "data_size = %8" G_GSIZE_FORMAT "\n",
192204
arv_gvsp_packet_get_data_size (packet, packet_size));
193205

194206
switch (content_type) {
195207
case ARV_GVSP_CONTENT_TYPE_LEADER:
196-
payload_type = arv_gvsp_leader_packet_get_buffer_payload_type (packet, NULL);
208+
payload_type = arv_gvsp_leader_packet_get_buffer_payload_type (packet, packet_size, NULL);
197209
switch (payload_type) {
198210
case ARV_BUFFER_PAYLOAD_TYPE_IMAGE:
199211
g_string_append (string, "payload_type = image\n");
@@ -236,7 +248,7 @@ arv_gvsp_packet_to_string (const ArvGvspPacket *packet, size_t packet_size)
236248
ArvPixelFormat pixel_format;
237249
guint32 width, height, x_offset, y_offset, x_padding, y_padding;
238250

239-
if (arv_gvsp_leader_packet_get_image_infos (packet,
251+
if (arv_gvsp_leader_packet_get_image_infos (packet, packet_size,
240252
&pixel_format,
241253
&width, &height, &x_offset, &y_offset,
242254
&x_padding, &y_padding)) {
@@ -251,7 +263,8 @@ arv_gvsp_packet_to_string (const ArvGvspPacket *packet, size_t packet_size)
251263
}
252264
} else if (payload_type == ARV_BUFFER_PAYLOAD_TYPE_MULTIPART) {
253265
g_string_append_printf (string, "n_parts = %8u\n",
254-
arv_gvsp_leader_packet_get_multipart_n_parts (packet));
266+
arv_gvsp_leader_packet_get_multipart_n_parts (packet,
267+
packet_size));
255268
}
256269
break;
257270
case ARV_GVSP_CONTENT_TYPE_TRAILER:
@@ -263,7 +276,7 @@ arv_gvsp_packet_to_string (const ArvGvspPacket *packet, size_t packet_size)
263276
case ARV_GVSP_CONTENT_TYPE_MULTIZONE:
264277
break;
265278
case ARV_GVSP_CONTENT_TYPE_MULTIPART:
266-
if (arv_gvsp_multipart_packet_get_infos (packet, &part_id, &offset)) {
279+
if (arv_gvsp_multipart_packet_get_infos (packet, packet_size, &part_id, &offset)) {
267280
g_string_append_printf (string, "part_id = %8d\n", part_id);
268281
g_string_append_printf (string, "offset = %8zu\n", offset);
269282
}

0 commit comments

Comments
 (0)