Commit 9029e6b6 authored by Clément Stenac's avatar Clément Stenac

hopefully fix SAP crash

some more size verifications
parent 12b32fc2
......@@ -587,10 +587,12 @@ static int Control( demux_t *p_demux, int i_query, va_list args )
* Local functions
**************************************************************/
/* i_read is at least > 6 */
static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
{
int i_version, i_address_type, i_hash, i;
uint8_t *psz_sdp;
uint8_t *psz_initial_sdp;
sdp_t *p_sdp;
vlc_bool_t b_compressed;
vlc_bool_t b_need_delete = VLC_FALSE;
......@@ -638,14 +640,25 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
}
psz_sdp = &p_buffer[4];
psz_initial_sdp = psz_sdp;
if( i_address_type == 0 ) /* ipv4 source address */
{
psz_sdp += 4;
if( i_read <= 9 )
{
msg_Warn( p_sd,"too short SAP packet\n" );
return VLC_EGENERIC;
}
}
else /* ipv6 source address */
{
psz_sdp += 16;
if( i_read <= 21 )
{
msg_Warn( p_sd,"too short SAP packet\n" );
return VLC_EGENERIC;
}
}
if( b_compressed )
......@@ -666,12 +679,21 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
}
/* Add the size of authentification info */
if( i_read < p_buffer[1] + (psz_sdp - psz_initial_sdp ) )
{
msg_Warn( p_sd, "too short SAP packet\n");
return VLC_EGENERIC;
}
psz_sdp += p_buffer[1];
/* Skip payload type */
/* Handle announces without \0 between SAP and SDP */
while( *psz_sdp != '\0' && ( psz_sdp[0] != 'v' && psz_sdp[1] != '=' ) )
{
if( psz_sdp - psz_initial_sdp >= i_read - 5 )
{
msg_Warn( p_sd, "empty SDP ?");
}
psz_sdp++;
}
......@@ -680,7 +702,6 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
psz_sdp++;
}
/* Parse SDP info */
p_sdp = ParseSDP( VLC_OBJECT(p_sd), psz_sdp );
......
......@@ -226,7 +226,6 @@ int playlist_AddItem( playlist_t *p_playlist, playlist_item_t *p_item,
p_add->i_view = VIEW_SIMPLE;
val.p_address = p_add;
var_Set( p_playlist, "item-append", val );
}
else
{
......
......@@ -401,6 +401,7 @@ int playlist_NodeInsert( playlist_t *p_playlist,
if( !p_parent || p_parent->i_children == -1 )
{
msg_Err( p_playlist, "invalid node" );
return VLC_EGENERIC;
}
if( i_position == -1 ) i_position = p_parent->i_children ;
......@@ -516,11 +517,9 @@ playlist_item_t *playlist_ChildSearchName( playlist_item_t *p_node,
{
return NULL;
}
for( i = 0 ; i< p_node->i_children; i++ )
{
if( !strncmp( p_node->pp_children[i]->input.psz_name, psz_search,
strlen( p_node->pp_children[i]->input.psz_name ) ) )
if( !strcmp( p_node->pp_children[i]->input.psz_name, psz_search ) )
{
return p_node->pp_children[i];
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment