Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
V
vlc
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Redmine
Redmine
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Metrics
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
videolan
vlc
Commits
d85ce4a0
Commit
d85ce4a0
authored
Feb 27, 2008
by
Jean-Baptiste Kempf
Browse files
Options
Browse Files
Download
Plain Diff
Tag again. I hope this is the good way to do it.
parents
28af5ba3
525823a2
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
268 additions
and
183 deletions
+268
-183
ChangeLog
ChangeLog
+21
-3
NEWS
NEWS
+1
-1
modules/access/rtsp/real_rmff.c
modules/access/rtsp/real_rmff.c
+200
-156
modules/access/rtsp/real_rmff.h
modules/access/rtsp/real_rmff.h
+7
-1
modules/access/rtsp/real_sdpplin.c
modules/access/rtsp/real_sdpplin.c
+39
-22
No files found.
ChangeLog
View file @
d85ce4a0
------------------------------------------------------------------------
------------------------------------------------------------------------
r25282 | Trax | 2008-02-24 19:58:05 +0000 (Sun, 24 Feb 2008) | 1 line
r25364 | thresh | 2008-02-26 16:14:14 -0800 (mar, 26 fév 2008) | 2 lines
Changed paths:
M /branches/0.8.6-bugfix/NEWS
Add one more CVE fixed (this time not really ours, but xinelib's).
------------------------------------------------------------------------
r25363 | thresh | 2008-02-26 16:07:15 -0800 (mar, 26 fév 2008) | 2 lines
Backport [24245] and [24246]
------------------------------------------------------------------------
r25362 | thresh | 2008-02-26 15:59:58 -0800 (mar, 26 fév 2008) | 2 lines
Backport [24247].
------------------------------------------------------------------------
r25341 | xtophe | 2008-02-25 14:19:56 -0800 (lun, 25 fév 2008) | 2 lines
Last update to the changelog and refresh the po
------------------------------------------------------------------------
r25282 | Trax | 2008-02-24 11:58:05 -0800 (dim, 24 fév 2008) | 1 line
NEWS: remove multi-screen improvement for Mac OS X since it isn't included yet
NEWS: remove multi-screen improvement for Mac OS X since it isn't included yet
------------------------------------------------------------------------
------------------------------------------------------------------------
...
...
NEWS
View file @
d85ce4a0
...
@@ -11,7 +11,7 @@ Security updates:
...
@@ -11,7 +11,7 @@ Security updates:
* Subtitle demuxers overflow (CVE-2007-6681)
* Subtitle demuxers overflow (CVE-2007-6681)
* HTTP listener format string injection (CVE-2007-6682)
* HTTP listener format string injection (CVE-2007-6682)
* Fixed buffer overflow in the SDL_image library (CVE-2006-4484)
* Fixed buffer overflow in the SDL_image library (CVE-2006-4484)
* Real RTSP overflows (CVE-2008-0295, CVE-2008-0296, VideoLAN-SA-0801)
* Real RTSP overflows (CVE-2008-02
25, CVE-2008-02
95, CVE-2008-0296, VideoLAN-SA-0801)
* Arbitrary memory overwrite in the MP4 demuxer (CORE-2008-0130, VideoLAN-SA-0802)
* Arbitrary memory overwrite in the MP4 demuxer (CORE-2008-0130, VideoLAN-SA-0802)
Audio filter:
Audio filter:
...
...
modules/access/rtsp/real_rmff.c
View file @
d85ce4a0
...
@@ -35,9 +35,11 @@
...
@@ -35,9 +35,11 @@
* writes header data to a buffer
* writes header data to a buffer
*/
*/
static
void
rmff_dump_fileheader
(
rmff_fileheader_t
*
fileheader
,
char
*
buffer
)
{
static
int
rmff_dump_fileheader
(
rmff_fileheader_t
*
fileheader
,
uint8_t
*
buffer
,
int
bufsize
)
{
if
(
!
fileheader
)
return
0
;
if
(
bufsize
<
RMFF_FILEHEADER_SIZE
)
return
-
1
;
if
(
!
fileheader
)
return
;
fileheader
->
object_id
=
BE_32
(
&
fileheader
->
object_id
);
fileheader
->
object_id
=
BE_32
(
&
fileheader
->
object_id
);
fileheader
->
size
=
BE_32
(
&
fileheader
->
size
);
fileheader
->
size
=
BE_32
(
&
fileheader
->
size
);
fileheader
->
object_version
=
BE_16
(
&
fileheader
->
object_version
);
fileheader
->
object_version
=
BE_16
(
&
fileheader
->
object_version
);
...
@@ -53,11 +55,17 @@ static void rmff_dump_fileheader(rmff_fileheader_t *fileheader, char *buffer) {
...
@@ -53,11 +55,17 @@ static void rmff_dump_fileheader(rmff_fileheader_t *fileheader, char *buffer) {
fileheader
->
file_version
=
BE_32
(
&
fileheader
->
file_version
);
fileheader
->
file_version
=
BE_32
(
&
fileheader
->
file_version
);
fileheader
->
num_headers
=
BE_32
(
&
fileheader
->
num_headers
);
fileheader
->
num_headers
=
BE_32
(
&
fileheader
->
num_headers
);
fileheader
->
object_id
=
BE_32
(
&
fileheader
->
object_id
);
fileheader
->
object_id
=
BE_32
(
&
fileheader
->
object_id
);
return
RMFF_FILEHEADER_SIZE
;
}
}
static
void
rmff_dump_prop
(
rmff_prop_t
*
prop
,
char
*
buffer
)
{
static
int
rmff_dump_prop
(
rmff_prop_t
*
prop
,
uint8_t
*
buffer
,
int
bufsize
)
{
if
(
!
prop
)
return
0
;
if
(
bufsize
<
RMFF_PROPHEADER_SIZE
)
return
-
1
;
if
(
!
prop
)
return
;
prop
->
object_id
=
BE_32
(
&
prop
->
object_id
);
prop
->
object_id
=
BE_32
(
&
prop
->
object_id
);
prop
->
size
=
BE_32
(
&
prop
->
size
);
prop
->
size
=
BE_32
(
&
prop
->
size
);
prop
->
object_version
=
BE_16
(
&
prop
->
object_version
);
prop
->
object_version
=
BE_16
(
&
prop
->
object_version
);
...
@@ -93,13 +101,19 @@ static void rmff_dump_prop(rmff_prop_t *prop, char *buffer) {
...
@@ -93,13 +101,19 @@ static void rmff_dump_prop(rmff_prop_t *prop, char *buffer) {
prop
->
num_streams
=
BE_16
(
&
prop
->
num_streams
);
prop
->
num_streams
=
BE_16
(
&
prop
->
num_streams
);
prop
->
flags
=
BE_16
(
&
prop
->
flags
);
prop
->
flags
=
BE_16
(
&
prop
->
flags
);
prop
->
object_id
=
BE_32
(
&
prop
->
object_id
);
prop
->
object_id
=
BE_32
(
&
prop
->
object_id
);
return
RMFF_PROPHEADER_SIZE
;
}
}
static
void
rmff_dump_mdpr
(
rmff_mdpr_t
*
mdpr
,
char
*
buffer
)
{
static
int
rmff_dump_mdpr
(
rmff_mdpr_t
*
mdpr
,
uint8_t
*
buffer
,
int
bufsize
)
{
int
s1
,
s2
,
s3
;
int
s1
,
s2
,
s3
;
if
(
!
mdpr
)
return
;
if
(
!
mdpr
)
return
0
;
if
(
bufsize
<
RMFF_MDPRHEADER_SIZE
+
mdpr
->
type_specific_len
+
mdpr
->
stream_name_size
+
mdpr
->
mime_type_size
)
return
-
1
;
mdpr
->
object_id
=
BE_32
(
&
mdpr
->
object_id
);
mdpr
->
object_id
=
BE_32
(
&
mdpr
->
object_id
);
mdpr
->
size
=
BE_32
(
&
mdpr
->
size
);
mdpr
->
size
=
BE_32
(
&
mdpr
->
size
);
mdpr
->
object_version
=
BE_16
(
&
mdpr
->
object_version
);
mdpr
->
object_version
=
BE_16
(
&
mdpr
->
object_version
);
...
@@ -141,13 +155,19 @@ static void rmff_dump_mdpr(rmff_mdpr_t *mdpr, char *buffer) {
...
@@ -141,13 +155,19 @@ static void rmff_dump_mdpr(rmff_mdpr_t *mdpr, char *buffer) {
mdpr
->
duration
=
BE_32
(
&
mdpr
->
duration
);
mdpr
->
duration
=
BE_32
(
&
mdpr
->
duration
);
mdpr
->
object_id
=
BE_32
(
&
mdpr
->
object_id
);
mdpr
->
object_id
=
BE_32
(
&
mdpr
->
object_id
);
return
RMFF_MDPRHEADER_SIZE
+
s1
+
s2
+
s3
;
}
}
static
void
rmff_dump_cont
(
rmff_cont_t
*
cont
,
char
*
buffer
)
{
static
int
rmff_dump_cont
(
rmff_cont_t
*
cont
,
uint8_t
*
buffer
,
int
bufsize
)
{
int
p
;
int
p
;
if
(
!
cont
)
return
;
if
(
!
cont
)
return
0
;
if
(
bufsize
<
RMFF_CONTHEADER_SIZE
+
cont
->
title_len
+
cont
->
author_len
+
\
cont
->
copyright_len
+
cont
->
comment_len
)
return
-
1
;
cont
->
object_id
=
BE_32
(
&
cont
->
object_id
);
cont
->
object_id
=
BE_32
(
&
cont
->
object_id
);
cont
->
size
=
BE_32
(
&
cont
->
size
);
cont
->
size
=
BE_32
(
&
cont
->
size
);
cont
->
object_version
=
BE_16
(
&
cont
->
object_version
);
cont
->
object_version
=
BE_16
(
&
cont
->
object_version
);
...
@@ -181,11 +201,18 @@ static void rmff_dump_cont(rmff_cont_t *cont, char *buffer) {
...
@@ -181,11 +201,18 @@ static void rmff_dump_cont(rmff_cont_t *cont, char *buffer) {
cont
->
size
=
BE_32
(
&
cont
->
size
);
cont
->
size
=
BE_32
(
&
cont
->
size
);
cont
->
object_version
=
BE_16
(
&
cont
->
object_version
);
cont
->
object_version
=
BE_16
(
&
cont
->
object_version
);
cont
->
object_id
=
BE_32
(
&
cont
->
object_id
);
cont
->
object_id
=
BE_32
(
&
cont
->
object_id
);
return
RMFF_CONTHEADER_SIZE
+
cont
->
title_len
+
cont
->
author_len
+
\
cont
->
copyright_len
+
cont
->
comment_len
;
}
}
static
void
rmff_dump_dataheader
(
rmff_data_t
*
data
,
char
*
buffer
)
{
static
int
rmff_dump_dataheader
(
rmff_data_t
*
data
,
uint8_t
*
buffer
,
int
bufsize
)
{
if
(
!
data
)
return
0
;
if
(
bufsize
<
RMFF_DATAHEADER_SIZE
)
return
-
1
;
if
(
!
data
)
return
;
data
->
object_id
=
BE_32
(
&
data
->
object_id
);
data
->
object_id
=
BE_32
(
&
data
->
object_id
);
data
->
size
=
BE_32
(
&
data
->
size
);
data
->
size
=
BE_32
(
&
data
->
size
);
...
@@ -202,31 +229,48 @@ static void rmff_dump_dataheader(rmff_data_t *data, char *buffer) {
...
@@ -202,31 +229,48 @@ static void rmff_dump_dataheader(rmff_data_t *data, char *buffer) {
data
->
size
=
BE_32
(
&
data
->
size
);
data
->
size
=
BE_32
(
&
data
->
size
);
data
->
object_version
=
BE_16
(
&
data
->
object_version
);
data
->
object_version
=
BE_16
(
&
data
->
object_version
);
data
->
object_id
=
BE_32
(
&
data
->
object_id
);
data
->
object_id
=
BE_32
(
&
data
->
object_id
);
return
RMFF_DATAHEADER_SIZE
;
}
}
int
rmff_dump_header
(
rmff_header_t
*
h
,
char
*
buffer
,
int
max
)
{
int
rmff_dump_header
(
rmff_header_t
*
h
,
void
*
buf_gen
,
int
max
)
{
uint8_t
*
buffer
=
buf_gen
;
int
written
=
0
;
int
written
=
0
,
size
;
rmff_mdpr_t
**
stream
=
h
->
streams
;
rmff_mdpr_t
**
stream
=
h
->
streams
;
rmff_dump_fileheader
(
h
->
fileheader
,
&
buffer
[
written
]);
if
((
size
=
rmff_dump_fileheader
(
h
->
fileheader
,
&
buffer
[
written
],
max
))
<
0
)
written
+=
h
->
fileheader
->
size
;
return
-
1
;
rmff_dump_prop
(
h
->
prop
,
&
buffer
[
written
]);
written
+=
h
->
prop
->
size
;
written
+=
size
;
rmff_dump_cont
(
h
->
cont
,
&
buffer
[
written
]);
max
-=
size
;
written
+=
h
->
cont
->
size
;
if
(
stream
)
if
((
size
=
rmff_dump_prop
(
h
->
prop
,
&
buffer
[
written
],
max
))
<
0
)
{
return
-
1
;
while
(
*
stream
)
{
written
+=
size
;
rmff_dump_mdpr
(
*
stream
,
&
buffer
[
written
]);
max
-=
size
;
written
+=
(
*
stream
)
->
size
;
if
((
size
=
rmff_dump_cont
(
h
->
cont
,
&
buffer
[
written
],
max
))
<
0
)
return
-
1
;
written
+=
size
;
max
-=
size
;
if
(
stream
)
{
while
(
*
stream
)
{
if
((
size
=
rmff_dump_mdpr
(
*
stream
,
&
buffer
[
written
],
max
))
<
0
)
return
-
1
;
written
+=
size
;
max
-=
size
;
stream
++
;
stream
++
;
}
}
}
}
rmff_dump_dataheader
(
h
->
data
,
&
buffer
[
written
]);
if
((
size
=
rmff_dump_dataheader
(
h
->
data
,
&
buffer
[
written
],
max
))
<
0
)
written
+=
18
;
return
-
1
;
written
+=
size
;
return
written
;
return
written
;
}
}
...
...
modules/access/rtsp/real_rmff.h
View file @
d85ce4a0
...
@@ -29,6 +29,12 @@
...
@@ -29,6 +29,12 @@
#define RMFF_HEADER_SIZE 0x12
#define RMFF_HEADER_SIZE 0x12
#define RMFF_FILEHEADER_SIZE 18
#define RMFF_PROPHEADER_SIZE 50
#define RMFF_MDPRHEADER_SIZE 46
#define RMFF_CONTHEADER_SIZE 18
#define RMFF_DATAHEADER_SIZE 18
#define FOURCC_TAG( ch0, ch1, ch2, ch3 ) \
#define FOURCC_TAG( ch0, ch1, ch2, ch3 ) \
(((long)(unsigned char)(ch3) ) | \
(((long)(unsigned char)(ch3) ) | \
( (long)(unsigned char)(ch2) << 8 ) | \
( (long)(unsigned char)(ch2) << 8 ) | \
...
@@ -234,7 +240,7 @@ int rmff_get_header_size(rmff_header_t *h);
...
@@ -234,7 +240,7 @@ int rmff_get_header_size(rmff_header_t *h);
/*
/*
* dumps the header <h> to <buffer>. <max> is the size of <buffer>
* dumps the header <h> to <buffer>. <max> is the size of <buffer>
*/
*/
int
rmff_dump_header
(
rmff_header_t
*
h
,
char
*
buffer
,
int
max
);
int
rmff_dump_header
(
rmff_header_t
*
h
,
void
*
buffer
,
int
max
);
/*
/*
* dumps a packet header
* dumps a packet header
...
...
modules/access/rtsp/real_sdpplin.c
View file @
d85ce4a0
...
@@ -92,7 +92,7 @@ static char *nl(char *data) {
...
@@ -92,7 +92,7 @@ static char *nl(char *data) {
static
int
filter
(
const
char
*
in
,
const
char
*
filter
,
char
**
out
,
size_t
outlen
)
{
static
int
filter
(
const
char
*
in
,
const
char
*
filter
,
char
**
out
,
size_t
outlen
)
{
int
flen
=
strlen
(
filter
);
int
flen
=
strlen
(
filter
);
in
t
len
;
size_
t
len
;
if
(
!
in
)
return
0
;
if
(
!
in
)
return
0
;
...
@@ -185,12 +185,14 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) {
...
@@ -185,12 +185,14 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) {
}
}
if
(
filter
(
*
data
,
"a=OpaqueData:buffer;"
,
&
buf
,
BUFLEN
))
{
if
(
filter
(
*
data
,
"a=OpaqueData:buffer;"
,
&
buf
,
BUFLEN
))
{
decoded
=
b64_decode
(
buf
,
decoded
,
&
(
desc
->
mlti_data_size
));
decoded
=
b64_decode
(
buf
,
decoded
,
&
(
desc
->
mlti_data_size
));
if
(
decoded
!=
NULL
)
{
desc
->
mlti_data
=
malloc
(
sizeof
(
char
)
*
desc
->
mlti_data_size
);
desc
->
mlti_data
=
malloc
(
sizeof
(
char
)
*
desc
->
mlti_data_size
);
memcpy
(
desc
->
mlti_data
,
decoded
,
desc
->
mlti_data_size
);
memcpy
(
desc
->
mlti_data
,
decoded
,
desc
->
mlti_data_size
);
handled
=
1
;
handled
=
1
;
*
data
=
nl
(
*
data
);
*
data
=
nl
(
*
data
);
lprintf
(
"mlti_data_size: %i
\n
"
,
desc
->
mlti_data_size
);
lprintf
(
"mlti_data_size: %i
\n
"
,
desc
->
mlti_data_size
);
}
}
}
if
(
filter
(
*
data
,
"a=ASMRuleBook:string;"
,
&
buf
,
BUFLEN
))
{
if
(
filter
(
*
data
,
"a=ASMRuleBook:string;"
,
&
buf
,
BUFLEN
))
{
desc
->
asm_rule_book
=
strdup
(
buf
);
desc
->
asm_rule_book
=
strdup
(
buf
);
handled
=
1
;
handled
=
1
;
...
@@ -237,12 +239,19 @@ sdpplin_t *sdpplin_parse(char *data) {
...
@@ -237,12 +239,19 @@ sdpplin_t *sdpplin_parse(char *data) {
free
(
desc
);
free
(
desc
);
return
NULL
;
return
NULL
;
}
}
desc
->
stream
=
NULL
;
memset
(
desc
,
0
,
sizeof
(
sdpplin_t
));
memset
(
desc
,
0
,
sizeof
(
sdpplin_t
));
while
(
data
&&
*
data
)
{
while
(
data
&&
*
data
)
{
handled
=
0
;
handled
=
0
;
if
(
filter
(
data
,
"m="
,
&
buf
,
BUFLEN
))
{
if
(
filter
(
data
,
"m="
,
&
buf
,
BUFLEN
))
{
if
(
!
desc
->
stream
)
{
fprintf
(
stderr
,
"sdpplin.c: stream identifier found before stream count, skipping."
);
continue
;
}
stream
=
sdpplin_parse_stream
(
&
data
);
stream
=
sdpplin_parse_stream
(
&
data
);
lprintf
(
"got data for stream id %u
\n
"
,
stream
->
stream_id
);
lprintf
(
"got data for stream id %u
\n
"
,
stream
->
stream_id
);
desc
->
stream
[
stream
->
stream_id
]
=
stream
;
desc
->
stream
[
stream
->
stream_id
]
=
stream
;
...
@@ -250,28 +259,36 @@ sdpplin_t *sdpplin_parse(char *data) {
...
@@ -250,28 +259,36 @@ sdpplin_t *sdpplin_parse(char *data) {
}
}
if
(
filter
(
data
,
"a=Title:buffer;"
,
&
buf
,
BUFLEN
))
{
if
(
filter
(
data
,
"a=Title:buffer;"
,
&
buf
,
BUFLEN
))
{
decoded
=
b64_decode
(
buf
,
decoded
,
&
len
);
decoded
=
b64_decode
(
buf
,
decoded
,
&
len
);
if
(
decoded
!=
NULL
)
{
desc
->
title
=
strdup
(
decoded
);
desc
->
title
=
strdup
(
decoded
);
handled
=
1
;
handled
=
1
;
data
=
nl
(
data
);
data
=
nl
(
data
);
}
}
}
if
(
filter
(
data
,
"a=Author:buffer;"
,
&
buf
,
BUFLEN
))
{
if
(
filter
(
data
,
"a=Author:buffer;"
,
&
buf
,
BUFLEN
))
{
decoded
=
b64_decode
(
buf
,
decoded
,
&
len
);
decoded
=
b64_decode
(
buf
,
decoded
,
&
len
);
if
(
decoded
!=
NULL
)
{
desc
->
author
=
strdup
(
decoded
);
desc
->
author
=
strdup
(
decoded
);
handled
=
1
;
handled
=
1
;
data
=
nl
(
data
);
data
=
nl
(
data
);
}
}
}
if
(
filter
(
data
,
"a=Copyright:buffer;"
,
&
buf
,
BUFLEN
))
{
if
(
filter
(
data
,
"a=Copyright:buffer;"
,
&
buf
,
BUFLEN
))
{
decoded
=
b64_decode
(
buf
,
decoded
,
&
len
);
decoded
=
b64_decode
(
buf
,
decoded
,
&
len
);
if
(
decoded
!=
NULL
)
{
desc
->
copyright
=
strdup
(
decoded
);
desc
->
copyright
=
strdup
(
decoded
);
handled
=
1
;
handled
=
1
;
data
=
nl
(
data
);
data
=
nl
(
data
);
}
}
}
if
(
filter
(
data
,
"a=Abstract:buffer;"
,
&
buf
,
BUFLEN
))
{
if
(
filter
(
data
,
"a=Abstract:buffer;"
,
&
buf
,
BUFLEN
))
{
decoded
=
b64_decode
(
buf
,
decoded
,
&
len
);
decoded
=
b64_decode
(
buf
,
decoded
,
&
len
);
if
(
decoded
!=
NULL
)
{
desc
->
abstract
=
strdup
(
decoded
);
desc
->
abstract
=
strdup
(
decoded
);
handled
=
1
;
handled
=
1
;
data
=
nl
(
data
);
data
=
nl
(
data
);
}
}
}
if
(
filter
(
data
,
"a=StreamCount:integer;"
,
&
buf
,
BUFLEN
))
{
if
(
filter
(
data
,
"a=StreamCount:integer;"
,
&
buf
,
BUFLEN
))
{
desc
->
stream_count
=
atoi
(
buf
);
desc
->
stream_count
=
atoi
(
buf
);
desc
->
stream
=
malloc
(
sizeof
(
sdpplin_stream_t
*
)
*
desc
->
stream_count
);
desc
->
stream
=
malloc
(
sizeof
(
sdpplin_stream_t
*
)
*
desc
->
stream_count
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment