Commit f16c09d6 authored by Jean-Baptiste Kempf's avatar Jean-Baptiste Kempf

RealRTSP: Fix Heap Overflows

SA-1202
(cherry picked from commit 19bd7f7b)
Signed-off-by: default avatarJean-Baptiste Kempf <jb@videolan.org>
parent 11a95cce
...@@ -351,6 +351,7 @@ static void real_calc_response_and_checksum (char *response, char *chksum, char ...@@ -351,6 +351,7 @@ static void real_calc_response_and_checksum (char *response, char *chksum, char
chksum[i] = response[i*4]; chksum[i] = response[i*4];
} }
#define MLTI_BUF_MAX_SIZE 2048
/* /*
* takes a MLTI-Chunk and a rule number got from match_asm_rule, * takes a MLTI-Chunk and a rule number got from match_asm_rule,
...@@ -368,7 +369,7 @@ static int select_mlti_data(const char *mlti_chunk, int mlti_size, int selection ...@@ -368,7 +369,7 @@ static int select_mlti_data(const char *mlti_chunk, int mlti_size, int selection
||(mlti_chunk[3] != 'I')) ||(mlti_chunk[3] != 'I'))
{ {
lprintf("MLTI tag not detected, copying data\n"); lprintf("MLTI tag not detected, copying data\n");
memcpy(*out, mlti_chunk, mlti_size); memcpy(*out, mlti_chunk, __MIN(mlti_size,MLTI_BUF_MAX_SIZE));
return mlti_size; return mlti_size;
} }
...@@ -405,7 +406,7 @@ static int select_mlti_data(const char *mlti_chunk, int mlti_size, int selection ...@@ -405,7 +406,7 @@ static int select_mlti_data(const char *mlti_chunk, int mlti_size, int selection
} }
size=BE_32(mlti_chunk); size=BE_32(mlti_chunk);
memcpy(*out, mlti_chunk+4, size); memcpy(*out, mlti_chunk+4, __MIN(size,MLTI_BUF_MAX_SIZE));
return size; return size;
} }
...@@ -430,7 +431,7 @@ static rmff_header_t *real_parse_sdp(char *data, char **stream_rules, uint32_t b ...@@ -430,7 +431,7 @@ static rmff_header_t *real_parse_sdp(char *data, char **stream_rules, uint32_t b
desc=sdpplin_parse(data); desc=sdpplin_parse(data);
if( !desc ) return NULL; if( !desc ) return NULL;
buf= (char *)malloc(2048); buf= (char *)malloc(MLTI_BUF_MAX_SIZE);
if( !buf ) goto error; if( !buf ) goto error;
header = calloc( 1, sizeof(rmff_header_t) ); header = calloc( 1, sizeof(rmff_header_t) );
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment