[vlc-commits] realrtsp: fixed bufferoverflow and off-by-one
Filip Roséen
git at videolan.org
Fri Feb 26 17:48:45 CET 2016
vlc | branch: master | Filip Roséen <filip at atch.se> | Thu Feb 25 10:12:32 2016 +0100| [a9bf85e5fd80489b3e8c1d8badb7d50c90387f6d] | committer: Jean-Baptiste Kempf
realrtsp: fixed bufferoverflow and off-by-one
- `strchr` can return `NULL`
- `data` is a pointer to a buffer which has a length that depends on
the previous read of `Content-Header`.
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=a9bf85e5fd80489b3e8c1d8badb7d50c90387f6d
---
modules/access/rtsp/real_sdpplin.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/modules/access/rtsp/real_sdpplin.c b/modules/access/rtsp/real_sdpplin.c
index 0f56ce8..4119795 100644
--- a/modules/access/rtsp/real_sdpplin.c
+++ b/modules/access/rtsp/real_sdpplin.c
@@ -32,6 +32,14 @@ static inline char *nl(char *data) {
return (nlptr) ? nlptr + 1 : NULL;
}
+static inline int line_length(char * data) {
+ char const * p = nl(data);
+ if (p) {
+ return p - data - 1;
+ }
+ return strlen(data);
+}
+
static int filter(access_t *p_access, const char *in, const char *filter, char **out, size_t outlen) {
int flen=strlen(filter);
@@ -158,12 +166,13 @@ static sdpplin_stream_t *sdpplin_parse_stream(access_t *p_access, char **data) {
if(!handled) {
#ifdef LOG
- int len=strchr(*data,'\n')-(*data);
- memcpy(buf, *data, len+1);
- buf[len]=0;
- msg_Warn(p_access, "libreal: sdpplin: not handled: '%s'\n", buf);
+ int len = line_length(*data);
+ ; len = len < BUFLEN ? len : BUFLEN-1;
+ buf[len] = '\0';
+ strncpy (buf, *data, len);
+ msg_Warn(p_access, "libreal: sdpplin: not handled: '%s'", buf);
#endif
- *data=nl(*data);
+ *data=nl(*data); /* always move to next line */
}
}
free( buf );
@@ -272,9 +281,10 @@ sdpplin_t *sdpplin_parse(access_t *p_access, char *data)
if(!handled) {
#ifdef LOG
- int len=strchr(data,'\n')-data;
- memcpy(buf, data, len+1);
- buf[len]=0;
+ int len = line_length(data);
+ ; len = len < BUFLEN ? len : BUFLEN-1;
+ buf[len] = '\0';
+ strncpy (buf, data, len);
msg_Warn(p_access, "libreal: sdpplin: not handled: '%s'", buf);
#endif
data=nl(data);
More information about the vlc-commits
mailing list