* Fix a crash bug with certain invalid Browse or Search requests.

1 files changed, 39 insertions, 41 deletions

diff --git a/upnpsoap.c b/upnpsoap.c
index 33aeb0f..6c8cd98 100644
--- a/upnpsoap.c
+++ b/upnpsoap.c
@@ -983,22 +983,28 @@ BrowseContentDirectory(struct upnphttp * h, const char * action)
 			"<Result>"
 			"&lt;DIDL-Lite"
 			CONTENT_DIRECTORY_SCHEMAS;
-	char *zErrMsg = 0;
+	char *zErrMsg = NULL;
 	char *sql, *ptr;
-	int ret;
 	struct Response args;
 	struct string_s str;
 	int totalMatches;
+	int ret;
+	char *ObjectID, *Filter, *BrowseFlag, *SortCriteria;
+	char *orderBy = NULL;
 	struct NameValueParserData data;
-
-	ParseNameValue(h->req_buf + h->req_contentoff, h->req_contentlen, &data);
-	char * ObjectID = GetValueFromNameValueList(&data, "ObjectID");
-	char * Filter = GetValueFromNameValueList(&data, "Filter");
-	char * BrowseFlag = GetValueFromNameValueList(&data, "BrowseFlag");
-	char * SortCriteria = GetValueFromNameValueList(&data, "SortCriteria");
-	char * orderBy = NULL;
 	int RequestedCount = 0;
 	int StartingIndex = 0;
+
+	memset(&args, 0, sizeof(args));
+	memset(&str, 0, sizeof(str));
+
+	ParseNameValue(h->req_buf + h->req_contentoff, h->req_contentlen, &data);
+
+	ObjectID = GetValueFromNameValueList(&data, "ObjectID");
+	Filter = GetValueFromNameValueList(&data, "Filter");
+	BrowseFlag = GetValueFromNameValueList(&data, "BrowseFlag");
+	SortCriteria = GetValueFromNameValueList(&data, "SortCriteria");
+
 	if( (ptr = GetValueFromNameValueList(&data, "RequestedCount")) )
 		RequestedCount = atoi(ptr);
 	if( !RequestedCount )
@@ -1015,8 +1021,6 @@ BrowseContentDirectory(struct upnphttp * h, const char * action)
 		SoapError(h, 701, "No such object error");
 		goto browse_error;
 	}
-	memset(&args, 0, sizeof(args));
-	memset(&str, 0, sizeof(str));
 
 	str.data = malloc(DEFAULT_RESP_SIZE);
 	str.size = DEFAULT_RESP_SIZE;
@@ -1171,25 +1175,29 @@ SearchContentDirectory(struct upnphttp * h, const char * action)
 			"<Result>"
 			"&lt;DIDL-Lite"
 			CONTENT_DIRECTORY_SCHEMAS;
-	char *zErrMsg = 0;
+	char *zErrMsg = NULL;
 	char *sql, *ptr;
-	char **result;
 	struct Response args;
 	struct string_s str;
-	int totalMatches = 0;
+	int totalMatches;
 	int ret;
-
-	struct NameValueParserData data;
-	ParseNameValue(h->req_buf + h->req_contentoff, h->req_contentlen, &data);
-	char * ContainerID = GetValueFromNameValueList(&data, "ContainerID");
-	char * Filter = GetValueFromNameValueList(&data, "Filter");
-	char * SearchCriteria = GetValueFromNameValueList(&data, "SearchCriteria");
-	char * SortCriteria = GetValueFromNameValueList(&data, "SortCriteria");
-	char * newSearchCriteria = NULL;
-	char * orderBy = NULL;
+	char *ContainerID, *Filter, *SearchCriteria, *SortCriteria;
+	char *newSearchCriteria = NULL, *orderBy = NULL;
 	char groupBy[] = "group by DETAIL_ID";
+	struct NameValueParserData data;
 	int RequestedCount = 0;
 	int StartingIndex = 0;
+
+	memset(&args, 0, sizeof(args));
+	memset(&str, 0, sizeof(str));
+
+	ParseNameValue(h->req_buf + h->req_contentoff, h->req_contentlen, &data);
+
+	ContainerID = GetValueFromNameValueList(&data, "ContainerID");
+	Filter = GetValueFromNameValueList(&data, "Filter");
+	SearchCriteria = GetValueFromNameValueList(&data, "SearchCriteria");
+	SortCriteria = GetValueFromNameValueList(&data, "SortCriteria");
+
 	if( (ptr = GetValueFromNameValueList(&data, "RequestedCount")) )
 		RequestedCount = atoi(ptr);
 	if( !RequestedCount )
@@ -1204,8 +1212,6 @@ SearchContentDirectory(struct upnphttp * h, const char * action)
 			goto search_error;
 		}
 	}
-	memset(&args, 0, sizeof(args));
-	memset(&str, 0, sizeof(str));
 
 	str.data = malloc(DEFAULT_RESP_SIZE);
 	str.size = DEFAULT_RESP_SIZE;
@@ -1317,22 +1323,14 @@ SearchContentDirectory(struct upnphttp * h, const char * action)
 	}
 	DPRINTF(E_DEBUG, L_HTTP, "Translated SearchCriteria: %s\n", SearchCriteria);
 
-	sql = sqlite3_mprintf("SELECT (select count(distinct DETAIL_ID)"
-	                      " from OBJECTS o left join DETAILS d on (o.DETAIL_ID = d.ID)"
-	                      " where (OBJECT_ID glob '%s$*') and (%s))"
-	                      " + "
-	                      "(select count(*) from OBJECTS o left join DETAILS d on (o.DETAIL_ID = d.ID)"
-	                      " where (OBJECT_ID = '%s') and (%s))",
-	                      ContainerID, SearchCriteria, ContainerID, SearchCriteria);
-	//DEBUG DPRINTF(E_DEBUG, L_HTTP, "Count SQL: %s\n", sql);
-	ret = sql_get_table(db, sql, &result, NULL, NULL);
-	sqlite3_free(sql);
-	if( ret == SQLITE_OK )
-	{
-		totalMatches = atoi(result[1]);
-		sqlite3_free_table(result);
-	}
-	else
+	totalMatches = sql_get_int_field(db, "SELECT (select count(distinct DETAIL_ID)"
+	                                     " from OBJECTS o left join DETAILS d on (o.DETAIL_ID = d.ID)"
+	                                     " where (OBJECT_ID glob '%s$*') and (%s))"
+	                                     " + "
+	                                     "(select count(*) from OBJECTS o left join DETAILS d on (o.DETAIL_ID = d.ID)"
+	                                     " where (OBJECT_ID = '%s') and (%s))",
+	                                     ContainerID, SearchCriteria, ContainerID, SearchCriteria);
+	if( totalMatches < 0 )
 	{
 		/* Must be invalid SQL, so most likely bad or unhandled search criteria. */
 		SoapError(h, 708, "Unsupported or invalid search criteria");