[MPlayer-dev-eng] [PATCH] loader/win32.c cleanup of CreateFile should fix vp6vfw 2nd pass encoding on linux

Mon Sep 17 03:12:55 CEST 2007

revised a bit, dest[MAX_PATH] = 0; should go after strncat
or it will be pointless,
strlen on filename is pointless too

I've added a directory traversal check, if the string
has .. then it return -1

the check is made on dest array beacause it's safe
while lpFileName could not be NULL terminated

Regards

-- 
Gianluigi Tiesi <sherpya at netfarm.it>
EDP Project Leader
Netfarm S.r.l. - http://www.netfarm.it/
Free Software: http://oss.netfarm.it/
-------------- next part --------------
Index: loader/win32.c
===================================================================

--- loader/win32.c	(revision 24551)
+++ loader/win32.c	(working copy)
@@ -3486,102 +3486,63 @@
 // They try to open APmpeg4v1.apl with it.
 // DLL will close opened file with CloseHandle().
 //
-static HANDLE WINAPI expCreateFileA(LPCSTR cs1,DWORD i1,DWORD i2,
-				    LPSECURITY_ATTRIBUTES p1, DWORD i3,DWORD i4,HANDLE i5)
+// refer to http://msdn2.microsoft.com/en-us/library/aa363858.aspx
+// for CreateFile flags
+static HANDLE WINAPI expCreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess,
+                                    DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes,
+                                    DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes,
+                                    HANDLE hTemplateFile)
 {
-    dbgprintf("CreateFileA(0x%x='%s', %d, %d, 0x%x, %d, %d, 0x%x)\n", cs1, cs1, i1,
-	      i2, p1, i3, i4, i5);
-    if((!cs1) || (strlen(cs1)<2))return -1;
+    char dest[MAX_PATH + 1] = "/tmp/";
+    char *p = dest + 5;
+    int flags = 0;
 
-#ifdef QTX
-    if(strstr(cs1, "QuickTime.qts"))
-    {
-	int result;
-	char* tmp=malloc(strlen(def_path)+50);
-	strcpy(tmp, def_path);
-	strcat(tmp, "/");
-	strcat(tmp, "QuickTime.qts");
-	result=open(tmp, O_RDONLY);
-	free(tmp);
-	return result;
-    }
-    if(strstr(cs1, ".qtx"))
-    {
-	int result;
-	char* tmp=malloc(strlen(def_path)+250);
-	char* x=strrchr(cs1,'\\');
-	sprintf(tmp,"%s/%s",def_path,x?(x+1):cs1);
-//	printf("### Open: %s -> %s\n",cs1,tmp);
-	result=open(tmp, O_RDONLY);
-	free(tmp);
-	return result;
-    }
-#endif
+    dbgprintf("CreateFileA() - Filename %s - dwDesiredAccess 0x%08x - dwCreationDisposition 0x%08x\n",
+              lpFileName, dwDesiredAccess, dwCreationDisposition);
 
-    if(strncmp(cs1, "AP", 2) == 0)
-    {
-	int result;
-	char* tmp=malloc(strlen(def_path)+50);
-	strcpy(tmp, def_path);
-	strcat(tmp, "/");
-	strcat(tmp, "APmpg4v1.apl");
-	result=open(tmp, O_RDONLY);
-	free(tmp);
-	return result;
-    }
-    if (strstr(cs1, "vp3"))
-    {
-	int r;
-	int flg = 0;
-	char* tmp=malloc(20 + strlen(cs1));
-	strcpy(tmp, "/tmp/");
-	strcat(tmp, cs1);
-	r = 4;
-	while (tmp[r])
-	{
-	    if (tmp[r] == ':' || tmp[r] == '\\')
-		tmp[r] = '_';
-	    r++;
-	}
-	if (GENERIC_READ & i1)
-	    flg |= O_RDONLY;
-	else if (GENERIC_WRITE & i1)
-	{
-	    flg |= O_WRONLY;
-	    printf("Warning: openning filename %s  %d (flags; 0x%x) for write\n", tmp, r, flg);
-	}
-	r=open(tmp, flg);
-	free(tmp);
-	return r;
-    }
+    if (!lpFileName) return -1; /* lpFileName is NULL */
 
-    // Needed by wnvplay1.dll
-    if (strstr(cs1, "WINNOV.bmp"))
+    strncat(dest, lpFileName, MAX_PATH);
+    dest[MAX_PATH] = 0;
+
+    if (strstr(dest, "..")) return -1; /* avoid directory traversal */
+
+    /* Sanitize the filename */
+    while (*p)
     {
-	int r;
-	r=open("/dev/null", 0);
-	return r;
+        if ((*p == '/') || (*p == '\\') || (*p == ':'))
+            *p = '_';
+        p++;
     }
 
-#if 0
-    /* we need this for some virtualdub filters */
+    /* Desidered Access */
+    if ((dwDesiredAccess & GENERIC_READ) &&
+        (dwDesiredAccess & GENERIC_WRITE))
+        flags |= O_RDWR;
+
+    if (dwDesiredAccess & GENERIC_READ) flags |= O_RDONLY;
+    if (dwDesiredAccess & GENERIC_WRITE) flags |= O_WRONLY;
+
+    /* Creation Disposition */
+    switch (dwCreationDisposition)
     {
-	int r;
-	int flg = 0;
-	if (GENERIC_READ & i1)
-	    flg |= O_RDONLY;
-	else if (GENERIC_WRITE & i1)
-	{
-	    flg |= O_WRONLY;
-	    printf("Warning: openning filename %s  %d (flags; 0x%x) for write\n", cs1, r, flg);
-	}
-	r=open(cs1, flg);
-	return r;
+        case CREATE_ALWAYS:
+            flags |= O_CREAT | O_TRUNC;
+            break;
+        case CREATE_NEW:
+            flags |= O_CREAT | O_EXCL;
+            break;
+        case TRUNCATE_EXISTING:
+            flags |= O_TRUNC;
+            break;
+        case OPEN_ALWAYS: /* flags ? */
+        case OPEN_EXISTING: /* flags ? */
+        default:
+            break;
     }
-#endif
-
-    return atoi(cs1+2);
+    return open(dest, flags);
 }
+
 static UINT WINAPI expGetSystemDirectoryA(
   char* lpBuffer,  // address of buffer for system directory
   UINT uSize        // size of directory buffer
@@ -3660,7 +3621,7 @@
 static DWORD  WINAPI expSetFilePointer(HANDLE h, LONG val, LPLONG ext, DWORD whence)
 {
     int wh;
-    dbgprintf("SetFilePointer(%d, 0x%x, 0x%x = %d, %d)\n", h, val, ext, *ext, whence);
+    dbgprintf("SetFilePointer(%d, 0x%x, 0x%x = %d, %d)\n", h, val, ext, ext ? *ext : NULL, whence);
     //why would DLL want temporary file with >2Gb size?
     switch(whence)
     {
