Commit f351efa7 authored by Pavlov Konstantin's avatar Pavlov Konstantin

Fix Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073). (closes #1531).

Thanks to Alin Rad Pop, Secunia Research.
Ported from libxine.
parent 16c69ade
...@@ -138,9 +138,16 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) { ...@@ -138,9 +138,16 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) {
handled=0; handled=0;
if(filter(*data,"a=control:streamid=",&buf, BUFLEN)) { if(filter(*data,"a=control:streamid=",&buf, BUFLEN)) {
desc->stream_id=atoi(buf); /* This way negative values are mapped to unfeasibly high
handled=1; * values, and will be discarded afterward
*data=nl(*data); */
unsigned long tmp = strtoul(buf, NULL, 10);
if ( tmp > UINT16_MAX )
lprintf("stream id out of bound: %lu\n", tmp);
else
desc->stream_id=tmp;
handled=1;
*data=nl(*data);
} }
if(filter(*data,"a=MaxBitRate:integer;",&buf, BUFLEN)) { if(filter(*data,"a=MaxBitRate:integer;",&buf, BUFLEN)) {
desc->max_bit_rate=atoi(buf); desc->max_bit_rate=atoi(buf);
...@@ -254,7 +261,10 @@ sdpplin_t *sdpplin_parse(char *data) { ...@@ -254,7 +261,10 @@ sdpplin_t *sdpplin_parse(char *data) {
} }
stream=sdpplin_parse_stream(&data); stream=sdpplin_parse_stream(&data);
lprintf("got data for stream id %u\n", stream->stream_id); lprintf("got data for stream id %u\n", stream->stream_id);
desc->stream[stream->stream_id]=stream; if ( stream->stream_id >= desc->stream_count )
lprintf("stream id %u is greater than stream count %u\n", stream->stream_id, desc->stream_count);
else
desc->stream[stream->stream_id]=stream;
continue; continue;
} }
if(filter(data,"a=Title:buffer;",&buf, BUFLEN)) { if(filter(data,"a=Title:buffer;",&buf, BUFLEN)) {
...@@ -290,10 +300,17 @@ sdpplin_t *sdpplin_parse(char *data) { ...@@ -290,10 +300,17 @@ sdpplin_t *sdpplin_parse(char *data) {
} }
} }
if(filter(data,"a=StreamCount:integer;",&buf, BUFLEN)) { if(filter(data,"a=StreamCount:integer;",&buf, BUFLEN)) {
desc->stream_count=atoi(buf); /* This way negative values are mapped to unfeasibly high
desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count); * values, and will be discarded afterward
handled=1; */
data=nl(data); unsigned long tmp = strtoul(buf, NULL, 10);
if ( tmp > UINT16_MAX )
lprintf("stream count out of bound: %lu\n", tmp);
else
desc->stream_count = tmp;
desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
handled=1;
data=nl(data);
} }
if(filter(data,"a=Flags:integer;",&buf, BUFLEN)) { if(filter(data,"a=Flags:integer;",&buf, BUFLEN)) {
desc->flags=atoi(buf); desc->flags=atoi(buf);
......
...@@ -31,7 +31,7 @@ typedef struct { ...@@ -31,7 +31,7 @@ typedef struct {
char *id; char *id;
char *bandwidth; char *bandwidth;
int stream_id; uint16_t stream_id;
char *range; char *range;
char *length; char *length;
char *rtpmap; char *rtpmap;
...@@ -75,7 +75,7 @@ typedef struct { ...@@ -75,7 +75,7 @@ typedef struct {
int flags; int flags;
int is_real_data_type; int is_real_data_type;
int stream_count; uint16_t stream_count;
char *title; char *title;
char *author; char *author;
char *copyright; char *copyright;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment