Commit f351efa7 authored by Pavlov Konstantin's avatar Pavlov Konstantin

Fix Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073). (closes #1531).

Thanks to Alin Rad Pop, Secunia Research.
Ported from libxine.
parent 16c69ade
...@@ -138,7 +138,14 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) { ...@@ -138,7 +138,14 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) {
handled=0; handled=0;
if(filter(*data,"a=control:streamid=",&buf, BUFLEN)) { if(filter(*data,"a=control:streamid=",&buf, BUFLEN)) {
desc->stream_id=atoi(buf); /* This way negative values are mapped to unfeasibly high
* values, and will be discarded afterward
*/
unsigned long tmp = strtoul(buf, NULL, 10);
if ( tmp > UINT16_MAX )
lprintf("stream id out of bound: %lu\n", tmp);
else
desc->stream_id=tmp;
handled=1; handled=1;
*data=nl(*data); *data=nl(*data);
} }
...@@ -254,6 +261,9 @@ sdpplin_t *sdpplin_parse(char *data) { ...@@ -254,6 +261,9 @@ sdpplin_t *sdpplin_parse(char *data) {
} }
stream=sdpplin_parse_stream(&data); stream=sdpplin_parse_stream(&data);
lprintf("got data for stream id %u\n", stream->stream_id); lprintf("got data for stream id %u\n", stream->stream_id);
if ( stream->stream_id >= desc->stream_count )
lprintf("stream id %u is greater than stream count %u\n", stream->stream_id, desc->stream_count);
else
desc->stream[stream->stream_id]=stream; desc->stream[stream->stream_id]=stream;
continue; continue;
} }
...@@ -290,7 +300,14 @@ sdpplin_t *sdpplin_parse(char *data) { ...@@ -290,7 +300,14 @@ sdpplin_t *sdpplin_parse(char *data) {
} }
} }
if(filter(data,"a=StreamCount:integer;",&buf, BUFLEN)) { if(filter(data,"a=StreamCount:integer;",&buf, BUFLEN)) {
desc->stream_count=atoi(buf); /* This way negative values are mapped to unfeasibly high
* values, and will be discarded afterward
*/
unsigned long tmp = strtoul(buf, NULL, 10);
if ( tmp > UINT16_MAX )
lprintf("stream count out of bound: %lu\n", tmp);
else
desc->stream_count = tmp;
desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count); desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
handled=1; handled=1;
data=nl(data); data=nl(data);
......
...@@ -31,7 +31,7 @@ typedef struct { ...@@ -31,7 +31,7 @@ typedef struct {
char *id; char *id;
char *bandwidth; char *bandwidth;
int stream_id; uint16_t stream_id;
char *range; char *range;
char *length; char *length;
char *rtpmap; char *rtpmap;
...@@ -75,7 +75,7 @@ typedef struct { ...@@ -75,7 +75,7 @@ typedef struct {
int flags; int flags;
int is_real_data_type; int is_real_data_type;
int stream_count; uint16_t stream_count;
char *title; char *title;
char *author; char *author;
char *copyright; char *copyright;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment