From f4148ae0b8ed0761ea4b6227a9890e074763dd7f Mon Sep 17 00:00:00 2001 From: jfreegman Date: Wed, 28 Feb 2024 22:41:14 -0500 Subject: [PATCH] fix: make sure call control index is in-bounds for video calls With commit 3158aced it's possible for the index to be out-of-bounds if a malloc fails while initializing AV --- src/video_call.c | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/src/video_call.c b/src/video_call.c index e53bb541d..e582c4082 100644 --- a/src/video_call.c +++ b/src/video_call.c @@ -109,9 +109,16 @@ static void read_video_device_callback(Toxic *toxic, int16_t width, int16_t heig } const Client_Config *c_config = toxic->c_config; + ToxWindow *home_window = toxic->home_window; uint32_t friend_number = *((uint32_t *)data); /* TODO: Or pass an array of call_idx's */ + + if (friend_number >= CallControl.max_calls) { + line_info_add(home_window, c_config, false, NULL, NULL, SYS_MSG, 0, 0, "Invalid call index."); + return; + } + Call *this_call = &CallControl.calls[friend_number]; Toxav_Err_Send_Frame error; @@ -216,6 +223,10 @@ void on_video_bit_rate(ToxAV *av, uint32_t friend_number, uint32_t video_bit_rat UNUSED_VAR(av); UNUSED_VAR(user_data); + if (friend_number >= CallControl.max_calls) { + return; + } + Call *call = &CallControl.calls[friend_number]; call->video_bit_rate = video_bit_rate; @@ -227,6 +238,10 @@ void on_video_bit_rate(ToxAV *av, uint32_t friend_number, uint32_t video_bit_rat void callback_recv_video_starting(uint32_t friend_number) { + if (friend_number >= CallControl.max_calls) { + return; + } + Call *this_call = &CallControl.calls[friend_number]; if (this_call->status != cs_Active || this_call->vout_idx != -1) { @@ -237,6 +252,10 @@ void callback_recv_video_starting(uint32_t friend_number) } void callback_recv_video_end(uint32_t friend_number) { + if (friend_number >= CallControl.max_calls) { + return; + } + Call *this_call = &CallControl.calls[friend_number]; if (this_call->status != cs_Active || this_call->vout_idx == -1) { @@ -248,6 +267,10 @@ void callback_recv_video_end(uint32_t friend_number) } static void callback_video_starting(Toxic *toxic, uint32_t friend_number) { + if (friend_number >= CallControl.max_calls) { + return; + } + Call *this_call = &CallControl.calls[friend_number]; Toxav_Err_Call_Control error = TOXAV_ERR_CALL_CONTROL_OK; @@ -271,6 +294,10 @@ static void callback_video_starting(Toxic *toxic, uint32_t friend_number) } void callback_video_end(uint32_t friend_number) { + if (friend_number >= CallControl.max_calls) { + return; + } + stop_video_transmission(&CallControl.calls[friend_number], friend_number); } /* @@ -308,6 +335,11 @@ void cmd_vcall(WINDOW *window, ToxWindow *self, Toxic *toxic, int argc, char (*a return; } + if (self->num >= CallControl.max_calls) { + print_err(self, c_config, "Invalid call index."); + return; + } + Call *call = &CallControl.calls[self->num]; if (call->status != cs_None) { @@ -333,6 +365,11 @@ void cmd_video(WINDOW *window, ToxWindow *self, Toxic *toxic, int argc, char (*a const Client_Config *c_config = toxic->c_config; + if (self->num >= CallControl.max_calls) { + print_err(self, c_config, "Invalid call index."); + return; + } + Call *this_call = &CallControl.calls[self->num]; if (argc != 0) { @@ -373,6 +410,11 @@ void cmd_res(WINDOW *window, ToxWindow *self, Toxic *toxic, int argc, char (*arg const Client_Config *c_config = toxic->c_config; + if (self->num >= CallControl.max_calls) { + print_err(self, c_config, "Invalid call index."); + return; + } + Call *call = &CallControl.calls[self->num]; if (argc == 0) {