Commit 63ef4831 authored by Marian Durkovic's avatar Marian Durkovic

Fix comparision between incompatible pointers by returning to the

memcpy approach with proper check to avoid buffer overflow.
Afterall, I think we should discard *huge* SAPs anyway.
parent 089e9bb3
...@@ -693,15 +693,18 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read ) ...@@ -693,15 +693,18 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
i_decompressed_size = Decompress( (uint8_t *)psz_sdp, i_decompressed_size = Decompress( (uint8_t *)psz_sdp,
&p_decompressed_buffer, i_read - ( psz_sdp - (char *)p_buffer ) ); &p_decompressed_buffer, i_read - ( psz_sdp - (char *)p_buffer ) );
if( i_decompressed_size > 0 ) if( i_decompressed_size > 0 &&
i_decompressed_size < ( MAX_SAP_BUFFER - 20 ) )
{ {
psz_sdp = realloc( p_decompressed_buffer, i_decompressed_size + 1 ); memcpy( psz_sdp, p_decompressed_buffer, i_decompressed_size );
psz_sdp[i_decompressed_size] = '\0'; psz_sdp[i_decompressed_size] = '\0';
psz_end = psz_sdp + i_decompressed_size; psz_end = psz_sdp + i_decompressed_size;
FREE( p_decompressed_buffer );
} }
else else
{ {
msg_Warn( p_sd, "decompression of sap packet failed" ); msg_Warn( p_sd, "error in decompression of sap packet" );
FREE( p_decompressed_buffer );
return VLC_EGENERIC; return VLC_EGENERIC;
} }
#else #else
...@@ -799,7 +802,6 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read ) ...@@ -799,7 +802,6 @@ static int ParseSAP( services_discovery_t *p_sd, uint8_t *p_buffer, int i_read )
CreateAnnounce( p_sd, i_hash, p_sdp ); CreateAnnounce( p_sd, i_hash, p_sdp );
FREE( p_decompressed_buffer );
return VLC_SUCCESS; return VLC_SUCCESS;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment