Commit f351efa7 authored by Pavlov Konstantin's avatar Pavlov Konstantin

Fix Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073). (closes #1531).

Thanks to Alin Rad Pop, Secunia Research.
Ported from libxine.
parent 16c69ade
......@@ -138,7 +138,14 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) {
handled=0;
if(filter(*data,"a=control:streamid=",&buf, BUFLEN)) {
desc->stream_id=atoi(buf);
/* This way negative values are mapped to unfeasibly high
* values, and will be discarded afterward
*/
unsigned long tmp = strtoul(buf, NULL, 10);
if ( tmp > UINT16_MAX )
lprintf("stream id out of bound: %lu\n", tmp);
else
desc->stream_id=tmp;
handled=1;
*data=nl(*data);
}
......@@ -254,6 +261,9 @@ sdpplin_t *sdpplin_parse(char *data) {
}
stream=sdpplin_parse_stream(&data);
lprintf("got data for stream id %u\n", stream->stream_id);
if ( stream->stream_id >= desc->stream_count )
lprintf("stream id %u is greater than stream count %u\n", stream->stream_id, desc->stream_count);
else
desc->stream[stream->stream_id]=stream;
continue;
}
......@@ -290,7 +300,14 @@ sdpplin_t *sdpplin_parse(char *data) {
}
}
if(filter(data,"a=StreamCount:integer;",&buf, BUFLEN)) {
desc->stream_count=atoi(buf);
/* This way negative values are mapped to unfeasibly high
* values, and will be discarded afterward
*/
unsigned long tmp = strtoul(buf, NULL, 10);
if ( tmp > UINT16_MAX )
lprintf("stream count out of bound: %lu\n", tmp);
else
desc->stream_count = tmp;
desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
handled=1;
data=nl(data);
......
......@@ -31,7 +31,7 @@ typedef struct {
char *id;
char *bandwidth;
int stream_id;
uint16_t stream_id;
char *range;
char *length;
char *rtpmap;
......@@ -75,7 +75,7 @@ typedef struct {
int flags;
int is_real_data_type;
int stream_count;
uint16_t stream_count;
char *title;
char *author;
char *copyright;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment