Add input validation and shell argument escaping to prevent OS command
injection via the 'show' parameter in web/views/image.php. The parameter
is now validated against an allowlist and all values passed to exec()
are wrapped with escapeshellarg().
Also fix PHP operator precedence bug in shutdown.php where 'and' was
used instead of '&&', causing the 'when' parameter validation to not
work as intended.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add null check for avformat_alloc_context() return value
- Add null checks for avformat_new_stream() and avcodec_alloc_context3()
- Fix copy-paste bug using smStaticPayloads instead of smDynamicPayloads
when setting codec_name for dynamic payloads
- Fix memory leak by freeing codec_context after copying parameters
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Guard against division by zero when calculating mRtpFactor if two
RTCP packets arrive with the same or very close NTP timestamps.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change SSRC variable from unsigned long to uint32_t to match the
struct definition (avoids inconsistent width on 64-bit platforms)
- Fix format specifier from %lx to %x to match uint32_t
- Change recv return type from int to ssize_t for correctness and
consistency with zm_rtp_ctrl.cpp
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The NTP timestamp fields ntpSecN and ntpFracN are defined as uint32_t
in the RtcpPacket struct, but were being assigned to uint16_t local
variables, truncating the upper 16 bits.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Check if DIR_EVENTS is empty before accessing [0] to prevent UB
- Replace strcpy with strncpy for safer string copying
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Check if response is empty before accessing response[0]
- Check if zmDbFetch result is null before using it
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Prevents undefined behavior when path string is empty by checking
path.empty() before accessing path[0].
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Previously, if zmDbFetch returned a result but mysql_num_rows != 1,
the MYSQL_RES was not freed before returning nullptr, causing a
memory leak. Now properly frees the result in all code paths.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Prevents potential deadlock by ensuring any running thread is signaled
to terminate before joining, matching the pattern used in other thread
classes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix typo: "GotFrameBufferUpdateallback" -> "GotFrameBufferUpdateCallback"
- Add null check after malloc in GetCredentialsCallback
- Use av_free() instead of free() in Close() since buffer was allocated
with av_malloc()
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Prevents potential crash if the function pointer or media player is null
(e.g., if library loading failed or PrimeCapture was not called).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Previously, when av_buffer_create() failed and returned nullptr, the code
only issued a Warning and continued, assigning the null pointer to the
frame buffer and returning success. Now properly returns -1 on failure.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix misleading error message: "reading" -> "writing" in sendMJEGFrames
- Add null check for monitor after Monitor::Load to prevent crash
if monitor doesn't exist
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove unreachable return statement after continue
- Add null check for input_format_context in Close() to prevent
dereference when using the alternative Open() overload
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add null check after avformat_alloc_context() to prevent null pointer
dereference if allocation fails
- Fix incomplete error message that was missing the path parameter
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Debug messages incorrectly used "!=" when describing matching conditions.
Changed to "==" to accurately reflect that the codec name/id matched.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
zm_videostore.cpp:
- Fix incorrect size passed to av_stream_add_side_data (was sizeof(int32_t),
should be sizeof(int32_t)*9 for display matrix)
- Fix null pointer dereference of chosen_codec_data in PASSTHROUGH mode
(use video_in_ctx->pix_fmt instead)
zm_stream.cpp:
- Fix logic error in last_crop initialization check (OR should be AND)
zm_eventstream.cpp:
- Fix null pointer dereference when video_file or scheme column is NULL
- Fix out-of-bounds array access in CMD_SEEK handler when curr_frame_id
decrements to 0
- Fix setStreamStart calling wrong loadInitialEventData overload (event_id
was being truncated and used as monitor_id)
zm_fifo.cpp:
- Fix close(-1) call when file creation fails
- Fix use of uninitialized raw_fd when on_blocking_abort is false
- Reset outfile and raw_fd in close() to prevent use-after-close
zm_monitor.cpp:
- Fix shm_id being zeroed before use in shmctl() call
1. User::Copy() was copying monitor_permissions_loaded into
group_permissions_loaded, should copy group_permissions_loaded.
2. zmLoadTokenUser() passed getenv() result directly to std::string
constructor. If REMOTE_ADDR is not set, getenv() returns nullptr,
and constructing std::string from nullptr is undefined behavior.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
getsockopt() returns -1 on error, not an errno value. The actual error
code is stored in errno. Using strerror(retval) with retval=-1 gives
incorrect error messages.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Mosquitto library functions return their own error codes (MOSQ_ERR_*),
not errno values. Using strerror() on these codes gives incorrect
error messages. Use mosquitto_strerror() which is designed for
Mosquitto error codes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
rename() returns -1 on error, not an errno value. The actual error
code is stored in errno. Using strerror(result) with result=-1 gives
incorrect error messages.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1. Double decrement in trailing whitespace removal loop caused skipping
of characters. The post-decrement in *temp_ptr-- = '\0' already moves
the pointer, so the extra temp_ptr-- was wrong.
2. ConfigItem copy constructor didn't copy cfg_type, cfg_value, or
accessed from the source item, leaving them uninitialized.
3. ConfigItem::Copy() used delete instead of delete[] for arrays
allocated with new[]. This is undefined behavior.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1. Socket copy constructor was copying from mLocalAddr/mRemoteAddr
which were just initialized to nullptr, instead of from the source
socket's addresses (socket.mLocalAddr/socket.mRemoteAddr).
2. Socket::recv() methods had buffer overflow: if recv() returned
exactly buffer.size() bytes, writing the null terminator at
buffer[nBytes] would be out of bounds. Allocate +1 for the
terminator and limit recv to buffer.size()-1.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1. Socket::getBlocking() returned inverted logic. When O_NONBLOCK flag
is set, the socket is non-blocking, so blocking should be false.
The code returned true when O_NONBLOCK was set.
2. Select::wait() checked the wrong fd_set for writers. It checked
&rfds (read fd_set) instead of &wfds (write fd_set), meaning
writeable sockets were never properly detected.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
If avformat_new_stream() returns nullptr, the code would log an error
but then still dereference mVideoStream to get the index, causing a
null pointer dereference crash.
Move the assignment inside the if block where mVideoStream is known
to be valid.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When a Buffer is created with the default constructor, mHead is nullptr.
If tidy() is called on an empty default-constructed buffer (e.g., via
consume(0)), the code would dereference nullptr at line 155:
} else if (mSize == 0) {
*mHead = '\0'; // CRASH: mHead is nullptr
Add a null check before dereferencing mHead.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The MQTT constructor was incorrectly attempting to call the base class
constructor in the constructor body:
mosquittopp(name.c_str());
This creates a temporary mosquittopp object that is immediately destroyed,
leaving the actual base class uninitialized. When connect() is subsequently
called, it uses methods from the uninitialized base class, causing a segfault.
Move the base class initialization to the member initializer list where it
belongs.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add SSL verification state tracking to Dahua.pm to ensure retry logic works for all requests
- Add SSL retry logic to Dahua.pm sendCmd method
- Remove redundant 'use IO::Socket::SSL' statements from TapoC520WS_ONVIF.pm retry blocks
refs #TBD
Co-authored-by: connortechnology <925519+connortechnology@users.noreply.github.com>
The CURLE_PEER_FAILED_VERIFICATION constant may not be defined in all PHP curl versions. Use the numeric value (51) instead for better compatibility.
refs #TBD
Co-authored-by: connortechnology <925519+connortechnology@users.noreply.github.com>
