[vlc-devel] [PATCH 06/13] modules/access/rtsp: fixed bufferoverflow and off-by-one

Thu Feb 25 10:12:32 CET 2016

I think the replaced code pretty much explains it all, but in short
there are two things which are horribly wrong:

  - What happens if `strchr` returns `NULL`?
  - `data` is a pointer to a buffer which has a length that depends on
    the previous read of `Content-Header`; need I say more?
---
 modules/access/rtsp/real_sdpplin.c | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/modules/access/rtsp/real_sdpplin.c b/modules/access/rtsp/real_sdpplin.c
index 0f56ce8..4119795 100644
--- a/modules/access/rtsp/real_sdpplin.c
+++ b/modules/access/rtsp/real_sdpplin.c
@@ -32,6 +32,14 @@ static inline char *nl(char *data) {
   return (nlptr) ? nlptr + 1 : NULL;
 }
 
+static inline int line_length(char * data) {
+  char const * p = nl(data);
+  if (p) {
+    return p - data - 1;
+  }
+  return strlen(data);
+}
+
 static int filter(access_t *p_access, const char *in, const char *filter, char **out, size_t outlen) {
 
   int flen=strlen(filter);
@@ -158,12 +166,13 @@ static sdpplin_stream_t *sdpplin_parse_stream(access_t *p_access, char **data) {
 
     if(!handled) {
 #ifdef LOG
-      int len=strchr(*data,'\n')-(*data);
-      memcpy(buf, *data, len+1);
-      buf[len]=0;
-      msg_Warn(p_access, "libreal: sdpplin: not handled: '%s'\n", buf);
+      int len = line_length(*data);
+      ;   len = len < BUFLEN ? len : BUFLEN-1;
+      buf[len] = '\0';
+      strncpy (buf, *data, len);
+      msg_Warn(p_access, "libreal: sdpplin: not handled: '%s'", buf);
 #endif
-      *data=nl(*data);
+      *data=nl(*data); /* always move to next line */
     }
   }
   free( buf );
@@ -272,9 +281,10 @@ sdpplin_t *sdpplin_parse(access_t *p_access, char *data)
 
     if(!handled) {
 #ifdef LOG
-      int len=strchr(data,'\n')-data;
-      memcpy(buf, data, len+1);
-      buf[len]=0;
+      int len = line_length(data);
+      ;   len = len < BUFLEN ? len : BUFLEN-1;
+      buf[len] = '\0';
+      strncpy (buf, data, len);
       msg_Warn(p_access, "libreal: sdpplin: not handled: '%s'", buf);
 #endif
       data=nl(data);
-- 
2.7.1

