summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorreimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2>2004-12-15 19:12:46 +0000
committerreimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2>2004-12-15 19:12:46 +0000
commit343d83d5a694c7a6f10a2b8a8c70839d9bbb9d57 (patch)
treeed05ef9e3a9aa8c126b289535297bef352f01f7a
parenta891b782901fb36d59f5fb1f0aaff9d385a24ead (diff)
downloadmpv-343d83d5a694c7a6f10a2b8a8c70839d9bbb9d57.tar.bz2
mpv-343d83d5a694c7a6f10a2b8a8c70839d9bbb9d57.tar.xz
fix a problem pointed out by iDEFENSE and several similar ones.
git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@14164 b3059339-0415-0410-9bf9-f77b7e298cf2
-rw-r--r--libmpdemux/asf_mmst_streaming.c26
1 files changed, 25 insertions, 1 deletions
diff --git a/libmpdemux/asf_mmst_streaming.c b/libmpdemux/asf_mmst_streaming.c
index 626aceae6b..bc337dc4ad 100644
--- a/libmpdemux/asf_mmst_streaming.c
+++ b/libmpdemux/asf_mmst_streaming.c
@@ -42,6 +42,7 @@
#include "network.h"
#define BUF_SIZE 102400
+#define HDR_BUF_SIZE 8192
typedef struct
{
@@ -216,6 +217,11 @@ static int get_header (int s, uint8_t *header, streaming_ctrl_t *streaming_ctrl)
// printf ("asf header packet detected, len=%d\n", packet_len);
+ if (packet_len < 0 || packet_len > HDR_BUF_SIZE - header_len) {
+ mp_msg(MSGT_NETWORK, MSGL_FATAL, "Invalid header size, giving up\n");
+ return 0;
+ }
+
if (!get_data (s, &header[header_len], packet_len)) {
printf ("header data read failed\n");
return 0;
@@ -250,6 +256,12 @@ static int get_header (int s, uint8_t *header, streaming_ctrl_t *streaming_ctrl)
packet_len = get_32 ((unsigned char*)&packet_len, 0) + 4;
// printf ("command packet detected, len=%d\n", packet_len);
+
+ if (packet_len < 0 || packet_len > BUF_SIZE) {
+ mp_msg(MSGT_NETWORK, MSGL_FATAL,
+ "Invalid rtsp packet size, giving up\n");
+ return 0;
+ }
if (!get_data (s, data, packet_len)) {
printf ("command data read failed\n");
@@ -361,6 +373,12 @@ static int get_media_packet (int s, int padding, streaming_ctrl_t *stream_ctrl)
// printf ("asf media packet detected, len=%d\n", packet_len);
+ if (packet_len < 0 || packet_len > BUF_SIZE) {
+ mp_msg(MSGT_NETWORK, MSGL_FATAL,
+ "Invalid rtsp packet size, giving up\n");
+ return 0;
+ }
+
if (!get_data (s, data, packet_len)) {
printf ("media data read failed\n");
return 0;
@@ -380,6 +398,12 @@ static int get_media_packet (int s, int padding, streaming_ctrl_t *stream_ctrl)
packet_len = get_32 ((unsigned char*)&packet_len, 0) + 4;
+ if (packet_len < 0 || packet_len > BUF_SIZE) {
+ mp_msg(MSGT_NETWORK, MSGL_FATAL,
+ "Invalid rtsp packet size, giving up\n");
+ return 0;
+ }
+
if (!get_data (s, data, packet_len)) {
printf ("command data read failed\n");
return 0;
@@ -464,7 +488,7 @@ int asf_mmst_streaming_start(stream_t *stream)
{
char str[1024];
char data[BUF_SIZE];
- uint8_t asf_header[8192];
+ uint8_t asf_header[HDR_BUF_SIZE];
int asf_header_len;
int len, i, packet_length;
char *path, *unescpath;