vlc/vlc-2.2 | branch: master | Filip Roséen <filip at atch.se> | Thu Feb 25 10:12:34 2016 +0100| [4db67cd1ee265d3f8d928c2d5a9b4a0fff7d5410] | committer: Jean-Baptiste Kempf
realrtsp: fixed rtsp_send_request to respect bounds of `scheduled`
The previous code would read out-of-bounds if the scheduled queue was full,
since the code expects there to be at least one NULL value among the fields
(something which is not guaranteed).
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
(cherry picked from commit 7c5f750b86f0be6f1af5e52a7055cb0df8ff6f23)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=4db67cd1ee265d3f8d928c2d5a9b4a0fff7d5410
---
modules/access/rtsp/rtsp.c | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/modules/access/rtsp/rtsp.c b/modules/access/rtsp/rtsp.c
index 23b6f99..44e397b 100644
--- a/modules/access/rtsp/rtsp.c
+++ b/modules/access/rtsp/rtsp.c
@@ -157,9 +157,14 @@ static int rtsp_get_status_code( rtsp_client_t *rtsp, const char *psz_string )
static int rtsp_send_request( rtsp_client_t *rtsp, const char *psz_type,
const char *psz_what )
{
- char **ppsz_payload = rtsp->p_private->scheduled;
+ char **ppsz_payload;
char *psz_buffer;
- int i_ret;
+ int i_ret, i;
+
+ if (rtsp->p_private == NULL)
+ return -1;
+
+ ppsz_payload = rtsp->p_private->scheduled;
psz_buffer = xmalloc( strlen(psz_type) + strlen(psz_what) +
sizeof("RTSP/1.0") + 2 );
@@ -168,12 +173,13 @@ static int rtsp_send_request( rtsp_client_t *rtsp, const char *psz_type,
i_ret = rtsp_put( rtsp, psz_buffer );
free( psz_buffer );
- if( ppsz_payload )
- while( *ppsz_payload )
- {
- rtsp_put( rtsp, *ppsz_payload );
- ppsz_payload++;
- }
+ for (i = 0; i < MAX_FIELDS; ++i) {
+ if (!ppsz_payload[i])
+ break;
+
+ rtsp_put (rtsp, ppsz_payload[i]);
+ }
+
rtsp_put( rtsp, "" );
rtsp_unschedule_all( rtsp );