[vlc-commits] realrtsp: fixed memcpy potentially reading outside buffer

[Filip Roséen]

vlc | branch: master | Filip Roséen <filip at atch.se> | Thu Feb 25 10:12:33 2016 +0100| [64f85e36cb01d98cdaac98d6fe33b0a58531c61b] | committer: Jean-Baptiste Kempf

realrtsp: fixed memcpy potentially reading outside buffer

If `psz_buffer` points to a string equivalent to just "RTSP/1.0", we
would read 2 bytes outside the buffer when (the removed) `memcpy` was
invoked.

Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=64f85e36cb01d98cdaac98d6fe33b0a58531c61b
---

 modules/access/rtsp/rtsp.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/modules/access/rtsp/rtsp.c b/modules/access/rtsp/rtsp.c
index f044a9d..23b6f99 100644
--- a/modules/access/rtsp/rtsp.c
+++ b/modules/access/rtsp/rtsp.c
@@ -129,13 +129,12 @@ static int rtsp_put( rtsp_client_t *rtsp, const char *psz_string )
 static int rtsp_get_status_code( rtsp_client_t *rtsp, const char *psz_string )
 {
     VLC_UNUSED(rtsp);
-    char psz_buffer[4];
+    char psz_buffer[4] = {0,0,0,0};
     int i_code = 0;
 
     if( !strncmp( psz_string, "RTSP/1.0", sizeof("RTSP/1.0") - 1 ) )
     {
-        memcpy( psz_buffer, psz_string + sizeof("RTSP/1.0"), 3 );
-        psz_buffer[3] = 0;
+        strncpy(psz_buffer, psz_string + sizeof("RTSP/1.0"), 3);
         i_code = atoi( psz_buffer );
     }
     else if( !strncmp( psz_string, "SET_PARAMETER", sizeof("SET_PARAMETER") - 1 ) )