[vlc-devel] [PATCH 08/13] modules/access/rtsp: fixed rtsp_send_request to respect bounds of `scheduled`

[Filip Roséen]

The previous code would read out-of-bounds if the scheduled queue was full,
since the code expects there to be at least one NULL value among the fields
(something which is not guaranteed).

---
 modules/access/rtsp/rtsp.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/modules/access/rtsp/rtsp.c b/modules/access/rtsp/rtsp.c
index 23b6f99..44e397b 100644
--- a/modules/access/rtsp/rtsp.c
+++ b/modules/access/rtsp/rtsp.c
@@ -157,9 +157,14 @@ static int rtsp_get_status_code( rtsp_client_t *rtsp, const char *psz_string )
 static int rtsp_send_request( rtsp_client_t *rtsp, const char *psz_type,
                               const char *psz_what )
 {
-    char **ppsz_payload = rtsp->p_private->scheduled;
+    char **ppsz_payload;
     char *psz_buffer;
-    int i_ret;
+    int i_ret, i;
+
+    if (rtsp->p_private == NULL)
+      return -1;
+
+    ppsz_payload = rtsp->p_private->scheduled;
 
     psz_buffer = xmalloc( strlen(psz_type) + strlen(psz_what) +
                          sizeof("RTSP/1.0") + 2 );
@@ -168,12 +173,13 @@ static int rtsp_send_request( rtsp_client_t *rtsp, const char *psz_type,
     i_ret = rtsp_put( rtsp, psz_buffer );
     free( psz_buffer );
 
-    if( ppsz_payload )
-        while( *ppsz_payload )
-        {
-            rtsp_put( rtsp, *ppsz_payload );
-            ppsz_payload++;
-        }
+    for (i = 0; i < MAX_FIELDS; ++i) {
+      if (!ppsz_payload[i])
+        break;
+
+      rtsp_put (rtsp, ppsz_payload[i]);
+    }
+
     rtsp_put( rtsp, "" );
     rtsp_unschedule_all( rtsp );
 
-- 
2.7.1