RepoMirrors
/
mpv
mirror of https://github.com/mpv-player/mpv
1
0
Fork 0
Code Issues Releases Wiki Activity

fix security vulnerability reported by iDEFENSE 

git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@14160 b3059339-0415-0410-9bf9-f77b7e298cf2
This commit is contained in:
reimar 2004-12-15 18:16:24 +00:00
parent 9eb9112aaa
commit 8f8b53d953
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
libmpdemux/realrtsp/real.c
View File

@ -691,6 +691,8 @@ int convert_timestamp(char *str, int *sec, int *msec) {
return 1; return 1;
} }
//! maximum size of the rtsp description, must be < INT_MAX
#define MAX_DESC_BUF (20 * 1024 * 1024)
rmff_header_t *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwidth) { rmff_header_t *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwidth) {
char *description=NULL; char *description=NULL;
@ -741,13 +743,21 @@ rmff_header_t *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwid
else else
size=atoi(rtsp_search_answers(rtsp_session,"Content-length")); size=atoi(rtsp_search_answers(rtsp_session,"Content-length"));
// as size is unsigned this also catches the case (size < 0)
if (size > MAX_DESC_BUF) {
printf("real: Content-length for description too big (> %uMB)!\n",
MAX_DESC_BUF/(1024*1024) );
xbuffer_free(buf);
return NULL;
}
if (!rtsp_search_answers(rtsp_session,"ETag")) if (!rtsp_search_answers(rtsp_session,"ETag"))
printf("real: got no ETag!\n"); printf("real: got no ETag!\n");
else else
session_id=strdup(rtsp_search_answers(rtsp_session,"ETag")); session_id=strdup(rtsp_search_answers(rtsp_session,"ETag"));
#ifdef LOG #ifdef LOG
printf("real: Stream description size: %i\n", size); printf("real: Stream description size: %u\n", size);
#endif #endif
description=malloc(sizeof(char)*(size+1)); description=malloc(sizeof(char)*(size+1));