From 8f8b53d9539fcbd6d3bbf9c435d03c4a02aa35f8 Mon Sep 17 00:00:00 2001 From: reimar Date: Wed, 15 Dec 2004 18:16:24 +0000 Subject: [PATCH] fix security vulnerability reported by iDEFENSE git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@14160 b3059339-0415-0410-9bf9-f77b7e298cf2 --- libmpdemux/realrtsp/real.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libmpdemux/realrtsp/real.c b/libmpdemux/realrtsp/real.c index ae6e6fdbc0..3d02dd7564 100644 --- a/libmpdemux/realrtsp/real.c +++ b/libmpdemux/realrtsp/real.c @@ -691,6 +691,8 @@ int convert_timestamp(char *str, int *sec, int *msec) { return 1; } +//! maximum size of the rtsp description, must be < INT_MAX +#define MAX_DESC_BUF (20 * 1024 * 1024) rmff_header_t *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwidth) { char *description=NULL; @@ -741,13 +743,21 @@ rmff_header_t *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwid else size=atoi(rtsp_search_answers(rtsp_session,"Content-length")); + // as size is unsigned this also catches the case (size < 0) + if (size > MAX_DESC_BUF) { + printf("real: Content-length for description too big (> %uMB)!\n", + MAX_DESC_BUF/(1024*1024) ); + xbuffer_free(buf); + return NULL; + } + if (!rtsp_search_answers(rtsp_session,"ETag")) printf("real: got no ETag!\n"); else session_id=strdup(rtsp_search_answers(rtsp_session,"ETag")); #ifdef LOG - printf("real: Stream description size: %i\n", size); + printf("real: Stream description size: %u\n", size); #endif description=malloc(sizeof(char)*(size+1));