diff options
| author | reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2004-12-15 19:12:46 +0000 |
|---|---|---|
| committer | reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2004-12-15 19:12:46 +0000 |
| commit | 343d83d5a694c7a6f10a2b8a8c70839d9bbb9d57 (patch) | |
| tree | ed05ef9e3a9aa8c126b289535297bef352f01f7a | |
| parent | a891b782901fb36d59f5fb1f0aaff9d385a24ead (diff) | |
| download | mpv-343d83d5a694c7a6f10a2b8a8c70839d9bbb9d57.tar.bz2 mpv-343d83d5a694c7a6f10a2b8a8c70839d9bbb9d57.tar.xz | |
fix a problem pointed out by iDEFENSE and several similar ones.
git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@14164 b3059339-0415-0410-9bf9-f77b7e298cf2
| -rw-r--r-- | libmpdemux/asf_mmst_streaming.c | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/libmpdemux/asf_mmst_streaming.c b/libmpdemux/asf_mmst_streaming.c index 626aceae6b..bc337dc4ad 100644 --- a/libmpdemux/asf_mmst_streaming.c +++ b/libmpdemux/asf_mmst_streaming.c @@ -42,6 +42,7 @@ #include "network.h" #define BUF_SIZE 102400 +#define HDR_BUF_SIZE 8192 typedef struct { @@ -216,6 +217,11 @@ static int get_header (int s, uint8_t *header, streaming_ctrl_t *streaming_ctrl) // printf ("asf header packet detected, len=%d\n", packet_len); + if (packet_len < 0 || packet_len > HDR_BUF_SIZE - header_len) { + mp_msg(MSGT_NETWORK, MSGL_FATAL, "Invalid header size, giving up\n"); + return 0; + } + if (!get_data (s, &header[header_len], packet_len)) { printf ("header data read failed\n"); return 0; @@ -250,6 +256,12 @@ static int get_header (int s, uint8_t *header, streaming_ctrl_t *streaming_ctrl) packet_len = get_32 ((unsigned char*)&packet_len, 0) + 4; // printf ("command packet detected, len=%d\n", packet_len); + + if (packet_len < 0 || packet_len > BUF_SIZE) { + mp_msg(MSGT_NETWORK, MSGL_FATAL, + "Invalid rtsp packet size, giving up\n"); + return 0; + } if (!get_data (s, data, packet_len)) { printf ("command data read failed\n"); @@ -361,6 +373,12 @@ static int get_media_packet (int s, int padding, streaming_ctrl_t *stream_ctrl) // printf ("asf media packet detected, len=%d\n", packet_len); + if (packet_len < 0 || packet_len > BUF_SIZE) { + mp_msg(MSGT_NETWORK, MSGL_FATAL, + "Invalid rtsp packet size, giving up\n"); + return 0; + } + if (!get_data (s, data, packet_len)) { printf ("media data read failed\n"); return 0; @@ -380,6 +398,12 @@ static int get_media_packet (int s, int padding, streaming_ctrl_t *stream_ctrl) packet_len = get_32 ((unsigned char*)&packet_len, 0) + 4; + if (packet_len < 0 || packet_len > BUF_SIZE) { + mp_msg(MSGT_NETWORK, MSGL_FATAL, + "Invalid rtsp packet size, giving up\n"); + return 0; + } + if (!get_data (s, data, packet_len)) { printf ("command data read failed\n"); return 0; @@ -464,7 +488,7 @@ int asf_mmst_streaming_start(stream_t *stream) { char str[1024]; char data[BUF_SIZE]; - uint8_t asf_header[8192]; + uint8_t asf_header[HDR_BUF_SIZE]; int asf_header_len; int len, i, packet_length; char *path, *unescpath; |