Commit 986af9f1 authored by Jean-Paul Saman's avatar Jean-Paul Saman

When recv() returns -1 a bug is triggered inside RTPRead() and RTPChoose()....

When recv() returns -1 a bug is triggered inside RTPRead() and RTPChoose(). The return value of Read() is then -1. The test "if (!i_ret) return 0;" will be false and the function will continue resulting in segfault while copying from buffers that are in an undetermined state. The correct test is "if (i_ret<0) return 0;".
parent 6754c25b
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
* udp.c: raw UDP & RTP access plug-in * udp.c: raw UDP & RTP access plug-in
***************************************************************************** *****************************************************************************
* Copyright (C) 2001, 2002 VideoLAN * Copyright (C) 2001, 2002 VideoLAN
* $Id: udp.c,v 1.19 2003/03/30 18:14:35 gbazin Exp $ * $Id: udp.c,v 1.20 2003/07/23 07:37:34 jpsaman Exp $
* *
* Authors: Christophe Massiot <massiot@via.ecp.fr> * Authors: Christophe Massiot <massiot@via.ecp.fr>
* Tristan Leteurtre <tooney@via.ecp.fr> * Tristan Leteurtre <tooney@via.ecp.fr>
...@@ -396,7 +396,7 @@ static ssize_t RTPRead( input_thread_t * p_input, byte_t * p_buffer, ...@@ -396,7 +396,7 @@ static ssize_t RTPRead( input_thread_t * p_input, byte_t * p_buffer,
* We first assume that RTP header size is the classic RTP_HEADER_LEN. */ * We first assume that RTP header size is the classic RTP_HEADER_LEN. */
ssize_t i_ret = Read( p_input, p_tmp_buffer, p_input->i_mtu ); ssize_t i_ret = Read( p_input, p_tmp_buffer, p_input->i_mtu );
if ( !i_ret ) return 0; if ( i_ret < 0 ) return 0;
/* Parse the header and make some verifications. /* Parse the header and make some verifications.
* See RFC 1889 & RFC 2250. */ * See RFC 1889 & RFC 2250. */
...@@ -445,7 +445,7 @@ static ssize_t RTPChoose( input_thread_t * p_input, byte_t * p_buffer, ...@@ -445,7 +445,7 @@ static ssize_t RTPChoose( input_thread_t * p_input, byte_t * p_buffer,
* We first assume that RTP header size is the classic RTP_HEADER_LEN. */ * We first assume that RTP header size is the classic RTP_HEADER_LEN. */
ssize_t i_ret = Read( p_input, p_tmp_buffer, p_input->i_mtu ); ssize_t i_ret = Read( p_input, p_tmp_buffer, p_input->i_mtu );
if ( !i_ret ) return 0; if ( i_ret < 0 ) return 0;
/* Check that it's not TS. */ /* Check that it's not TS. */
if ( p_tmp_buffer[0] == 0x47 ) if ( p_tmp_buffer[0] == 0x47 )
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment