[vlc-devel] [PATCH 03/13] modules/access/rtsp: fixed crash on unsuccessful DESCRIBE-response that includes `Alert`

[Filip Roséen]

If the remote server yields an error on the `DESCRIBE` request, while
also including an error message the module would crash due to an invalid
free.

    % netcat -l -p 8080 <<EOF
    > RTSP/1.0 200 OK
    > CSeq: 1
    > Server: Real
    > RealChallenge1: DEADBEEF
    >
    > RTSP/1.0 199 OK
    > CSeq: 2
    > Alert: I like turtles
    >
    EOF

    $ vlc -Idummy --access realrtsp,none 'rtsp://localhost:8080/test'
    VLC media player 3.0.0-git Vetinari (revision 2.2.0-git-6509-g6e5cfeb)
    [00000000015aeb18] dummy interface: using the dummy interface module...
    [00007efcac0011d8] core access error: connection failed: Connection refused
    *** Error in `vlc': free(): invalid pointer: 0x00007f6a0c002e47 ***

The reason being that `alert` will point to the middle of allocated
memory. Given the sourroundings the original author probably forgot to
`strdup` the message - even though that is very unnecessary.
---
 modules/access/rtsp/real.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/modules/access/rtsp/real.c b/modules/access/rtsp/real.c
index 0b7d5cc..53ad3bc 100644
--- a/modules/access/rtsp/real.c
+++ b/modules/access/rtsp/real.c
@@ -649,13 +649,11 @@ rmff_header_t  *real_setup_and_get_header(rtsp_client_t *rtsp_session, int bandw
   status=rtsp_request_describe(rtsp_session,NULL);
   if ( status<200 || status>299 ) {
     msg_Dbg (p_access, "server returned status code %d", status);
-    char *alert=rtsp_search_answers(rtsp_session,"Alert");
-    if (alert) {
-        msg_Dbg(p_access, "server replied with a message: %s", alert);
+    if ((p_data = rtsp_search_answers(rtsp_session, "Alert"))) {
+      msg_Dbg(p_access, "server replied with a message: '%s'", p_data);
     }
     rtsp_send_ok( rtsp_session );
     free( challenge1 );
-    free( alert );
     free( buf );
     return NULL;
   }
-- 
2.7.1