access: mmstu: check command length before parsing

377b93ef · Francois Cartegnie · 90ceeec6 · 377b93ef
Commit 377b93ef authored Dec 28, 2015 by Francois Cartegnie
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 1 deletion

modules/access/mms/mmstu.c modules/access/mms/mmstu.c +8 -1

No files found.
--- a/modules/access/mms/mmstu.c
+++ b/modules/access/mms/mmstu.c
@@ -543,7 +543,7 @@ static int MMSOpen( access_t  *p_access, vlc_url_t *p_url, int  i_proto )
                     buffer.p_data,
                     buffer.i_data );

-    if( mms_CommandRead( p_access, 0x01, 0 ) < 0 )
+    if( mms_CommandRead( p_access, 0x01, 0 ) < 0 || p_sys->i_cmd < MMS_CMD_HEADERSIZE + 48 )
    {
        var_buffer_free( &buffer );
        MMSClose( p_access );
@@ -682,6 +682,13 @@ static int MMSOpen( access_t  *p_access, vlc_url_t *p_url, int  i_proto )
        return( -1 );
    }

+    if( p_sys->i_cmd < MMS_CMD_HEADERSIZE + 64 )
+    {
+        var_buffer_free( &buffer );
+        MMSClose( p_access );
+        return VLC_EBADVAR;
+    }
+
    /*  1 for file ok, 2 for authen ok */
    switch( GetDWLE( p_sys->p_cmd + MMS_CMD_HEADERSIZE ) )
    {