[vlc-devel] commit: Fix Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073 ). (closes #1531). (Pavlov Konstantin )

git version control git at videolan.org
Wed Mar 19 16:35:15 CET 2008 

vlc | branch: 0.8.6-bugfix | Pavlov Konstantin <thresh at altlinux.ru> | Wed Mar 19 18:31:07 2008 +0300| [8c838a6fe5f3bdb4af4f5f73d7ac0206ea92e029]

Fix Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073). (closes #1531).
Thanks to Alin Rad Pop, Secunia Research.
Ported from libxine.

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=8c838a6fe5f3bdb4af4f5f73d7ac0206ea92e029
---

 modules/access/rtsp/real_sdpplin.c |   33 +++++++++++++++++++++++++--------
 modules/access/rtsp/real_sdpplin.h |    4 ++--
 2 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/modules/access/rtsp/real_sdpplin.c b/modules/access/rtsp/real_sdpplin.c
index fbd1cc6..7cb46eb 100644
--- a/modules/access/rtsp/real_sdpplin.c
+++ b/modules/access/rtsp/real_sdpplin.c
@@ -138,9 +138,16 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) {
     handled=0;
 
     if(filter(*data,"a=control:streamid=",&buf, BUFLEN)) {
-      desc->stream_id=atoi(buf);
-      handled=1;
-      *data=nl(*data);
+        /* This way negative values are mapped to unfeasibly high
+         * values, and will be discarded afterward
+         */
+        unsigned long tmp = strtoul(buf, NULL, 10);
+        if ( tmp > UINT16_MAX )
+            lprintf("stream id out of bound: %lu\n", tmp);
+        else
+            desc->stream_id=tmp;
+        handled=1;
+        *data=nl(*data);
     }
     if(filter(*data,"a=MaxBitRate:integer;",&buf, BUFLEN)) {
       desc->max_bit_rate=atoi(buf);
@@ -254,7 +261,10 @@ sdpplin_t *sdpplin_parse(char *data) {
         }
         stream=sdpplin_parse_stream(&data);
         lprintf("got data for stream id %u\n", stream->stream_id);
-        desc->stream[stream->stream_id]=stream;
+        if ( stream->stream_id >= desc->stream_count )
+            lprintf("stream id %u is greater than stream count %u\n", stream->stream_id, desc->stream_count);
+        else
+            desc->stream[stream->stream_id]=stream;
         continue;
     }
     if(filter(data,"a=Title:buffer;",&buf, BUFLEN)) {
@@ -290,10 +300,17 @@ sdpplin_t *sdpplin_parse(char *data) {
       }
     }
     if(filter(data,"a=StreamCount:integer;",&buf, BUFLEN)) {
-      desc->stream_count=atoi(buf);
-      desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
-      handled=1;
-      data=nl(data);
+        /* This way negative values are mapped to unfeasibly high
+         * values, and will be discarded afterward
+         */
+        unsigned long tmp = strtoul(buf, NULL, 10);
+        if ( tmp > UINT16_MAX )
+            lprintf("stream count out of bound: %lu\n", tmp);
+        else
+            desc->stream_count = tmp;
+        desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
+        handled=1;
+        data=nl(data);
     }
     if(filter(data,"a=Flags:integer;",&buf, BUFLEN)) {
       desc->flags=atoi(buf);
diff --git a/modules/access/rtsp/real_sdpplin.h b/modules/access/rtsp/real_sdpplin.h
index 6014ee6..10d37b8 100644
--- a/modules/access/rtsp/real_sdpplin.h
+++ b/modules/access/rtsp/real_sdpplin.h
@@ -31,7 +31,7 @@ typedef struct {
   char *id;
   char *bandwidth;
 
-  int stream_id;
+  uint16_t stream_id;
   char *range;
   char *length;
   char *rtpmap;
@@ -75,7 +75,7 @@ typedef struct {
 
   int flags;
   int is_real_data_type;
-  int stream_count;
+  uint16_t stream_count;
   char *title;
   char *author;
   char *copyright;

More information about the vlc-devel mailing list