[vlc-commits] realrtsp: fixed crash on unsuccessful DESCRIBE-response that includes `Alert`

Filip Roséen git at videolan.org
Fri Feb 26 20:46:47 CET 2016 

vlc/vlc-2.2 | branch: master | Filip Roséen <filip at atch.se> | Thu Feb 25 10:12:29 2016 +0100| [bc5bebcc85d526c7771bab3ee7016e3d6f0415c7] | committer: Jean-Baptiste Kempf

realrtsp: fixed crash on unsuccessful DESCRIBE-response that includes `Alert`

If the remote server yields an error on the `DESCRIBE` request, while
also including an error message the module would crash due to an invalid
free.

% netcat -l -p 8080 <<EOF
> RTSP/1.0 200 OK
> CSeq: 1
> Server: Real
> RealChallenge1: DEADBEEF
>
> RTSP/1.0 199 OK
> CSeq: 2
> Alert: I like turtles
>
EOF

The reason being that `alert` will point to the middle of allocated
memory. Given the sourroundings the original author probably forgot to
`strdup` the message - even though that is very unnecessary.

Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
(cherry picked from commit 859d6f63e5d65ee7792cb22371e76d3fbd42ea91)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=bc5bebcc85d526c7771bab3ee7016e3d6f0415c7
---

 modules/access/rtsp/real.c |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/modules/access/rtsp/real.c b/modules/access/rtsp/real.c
index 0b7d5cc..53ad3bc 100644
--- a/modules/access/rtsp/real.c
+++ b/modules/access/rtsp/real.c
@@ -649,13 +649,11 @@ rmff_header_t  *real_setup_and_get_header(rtsp_client_t *rtsp_session, int bandw
   status=rtsp_request_describe(rtsp_session,NULL);
   if ( status<200 || status>299 ) {
     msg_Dbg (p_access, "server returned status code %d", status);
-    char *alert=rtsp_search_answers(rtsp_session,"Alert");
-    if (alert) {
-        msg_Dbg(p_access, "server replied with a message: %s", alert);
+    if ((p_data = rtsp_search_answers(rtsp_session, "Alert"))) {
+      msg_Dbg(p_access, "server replied with a message: '%s'", p_data);
     }
     rtsp_send_ok( rtsp_session );
     free( challenge1 );
-    free( alert );
     free( buf );
     return NULL;
   }

More information about the vlc-commits mailing list