[vlc-commits] RealRTSP: Fix Heap Overflows
Jean-Baptiste Kempf
git at videolan.org
Thu Mar 15 18:04:56 CET 2012
vlc/vlc-2.0 | branch: master | Jean-Baptiste Kempf <jb at videolan.org> | Tue Mar 13 11:18:12 2012 +0100| [f16c09d626cf3290d65101720c31a7f2560e7157] | committer: Jean-Baptiste Kempf
RealRTSP: Fix Heap Overflows
SA-1202
(cherry picked from commit 19bd7f7b3058619d7677afa96b38924e1422c4d7)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.0.git/?a=commit;h=f16c09d626cf3290d65101720c31a7f2560e7157
---
modules/access/rtsp/real.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/modules/access/rtsp/real.c b/modules/access/rtsp/real.c
index 9bd4c87..86eab8c 100644
--- a/modules/access/rtsp/real.c
+++ b/modules/access/rtsp/real.c
@@ -351,6 +351,7 @@ static void real_calc_response_and_checksum (char *response, char *chksum, char
chksum[i] = response[i*4];
}
+#define MLTI_BUF_MAX_SIZE 2048
/*
* takes a MLTI-Chunk and a rule number got from match_asm_rule,
@@ -368,7 +369,7 @@ static int select_mlti_data(const char *mlti_chunk, int mlti_size, int selection
||(mlti_chunk[3] != 'I'))
{
lprintf("MLTI tag not detected, copying data\n");
- memcpy(*out, mlti_chunk, mlti_size);
+ memcpy(*out, mlti_chunk, __MIN(mlti_size,MLTI_BUF_MAX_SIZE));
return mlti_size;
}
@@ -405,7 +406,7 @@ static int select_mlti_data(const char *mlti_chunk, int mlti_size, int selection
}
size=BE_32(mlti_chunk);
- memcpy(*out, mlti_chunk+4, size);
+ memcpy(*out, mlti_chunk+4, __MIN(size,MLTI_BUF_MAX_SIZE));
return size;
}
@@ -430,7 +431,7 @@ static rmff_header_t *real_parse_sdp(char *data, char **stream_rules, uint32_t b
desc=sdpplin_parse(data);
if( !desc ) return NULL;
- buf= (char *)malloc(2048);
+ buf= (char *)malloc(MLTI_BUF_MAX_SIZE);
if( !buf ) goto error;
header = calloc( 1, sizeof(rmff_header_t) );
More information about the vlc-commits
mailing list