[vlc-commits] RealRTSP: Fix Heap Overflows

[Jean-Baptiste Kempf]

vlc/vlc-2.0 | branch: master | Jean-Baptiste Kempf <jb at videolan.org> | Tue Mar 13 11:18:12 2012 +0100| [f16c09d626cf3290d65101720c31a7f2560e7157] | committer: Jean-Baptiste Kempf

RealRTSP: Fix Heap Overflows

SA-1202
(cherry picked from commit 19bd7f7b3058619d7677afa96b38924e1422c4d7)

Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.0.git/?a=commit;h=f16c09d626cf3290d65101720c31a7f2560e7157
---

 modules/access/rtsp/real.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/access/rtsp/real.c b/modules/access/rtsp/real.c
index 9bd4c87..86eab8c 100644
--- a/modules/access/rtsp/real.c
+++ b/modules/access/rtsp/real.c
@@ -351,6 +351,7 @@ static void real_calc_response_and_checksum (char *response, char *chksum, char
     chksum[i] = response[i*4];
 }
 
+#define MLTI_BUF_MAX_SIZE 2048
 
 /*
  * takes a MLTI-Chunk and a rule number got from match_asm_rule,
@@ -368,7 +369,7 @@ static int select_mlti_data(const char *mlti_chunk, int mlti_size, int selection
       ||(mlti_chunk[3] != 'I'))
   {
     lprintf("MLTI tag not detected, copying data\n");
-    memcpy(*out, mlti_chunk, mlti_size);
+    memcpy(*out, mlti_chunk, __MIN(mlti_size,MLTI_BUF_MAX_SIZE));
     return mlti_size;
   }
 
@@ -405,7 +406,7 @@ static int select_mlti_data(const char *mlti_chunk, int mlti_size, int selection
   }
   size=BE_32(mlti_chunk);
 
-  memcpy(*out, mlti_chunk+4, size);
+  memcpy(*out, mlti_chunk+4, __MIN(size,MLTI_BUF_MAX_SIZE));
   return size;
 }
 
@@ -430,7 +431,7 @@ static rmff_header_t *real_parse_sdp(char *data, char **stream_rules, uint32_t b
   desc=sdpplin_parse(data);
   if( !desc ) return NULL;
 
-  buf= (char *)malloc(2048);
+  buf= (char *)malloc(MLTI_BUF_MAX_SIZE);
   if( !buf ) goto error;
 
   header = calloc( 1, sizeof(rmff_header_t) );