[vlc-devel] [PATCH 11/13] modules/access/rtsp: `rtsp_unscheduled_field` => bounds-check + error-check

[Filip Roséen]

The previous code would loop forever (in two places) if this function is ever
invoked, it would also read out-of-bounds if the `scheduled` queue was full.

---
 modules/access/rtsp/rtsp.c | 36 ++++++++++++++++++++++++------------
 1 file changed, 24 insertions(+), 12 deletions(-)

diff --git a/modules/access/rtsp/rtsp.c b/modules/access/rtsp/rtsp.c
index e208664..5af2638 100644
--- a/modules/access/rtsp/rtsp.c
+++ b/modules/access/rtsp/rtsp.c
@@ -665,22 +665,34 @@ void rtsp_schedule_field( rtsp_client_t *rtsp, const char *data )
  * removes the first scheduled field which prefix matches string.
  */
 
-void rtsp_unschedule_field( rtsp_client_t *rtsp, const char *string )
+void rtsp_unschedule_field( rtsp_client_t *rtsp, const char *needle )
 {
-    char **ptr = rtsp->p_private->scheduled;
+    char **pptr;
+    int i;
 
-    if( !string ) return;
+    if (rtsp->p_private == NULL || needle == NULL)
+      return;
 
-    while( *ptr )
-    {
-      if( !strncmp(*ptr, string, strlen(string)) ) break;
+    pptr = rtsp->p_private->scheduled;
+
+    for (i = 0; i < MAX_FIELDS; ++i) {
+      if (pptr[i] == NULL)
+        break;
+
+      if (!strncmp (pptr[i], needle, strlen(needle))) {
+        free (pptr[i]);
+        pptr[i] = NULL;
+        break;
+      }
+    }
+
+    for (i++; i < MAX_FIELDS && pptr[i]; ++i) {
+      pptr[i-1] = pptr[i];
+    }
+
+    if (i < MAX_FIELDS) {
+      pptr[i] = NULL;
     }
-    free( *ptr );
-    ptr++;
-    do
-    {
-        *(ptr-1) = *ptr;
-    } while( *ptr );
 }
 
 /*
-- 
2.7.1