diff options
| author | reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2004-12-15 18:16:24 +0000 |
|---|---|---|
| committer | reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2> | 2004-12-15 18:16:24 +0000 |
| commit | 8f8b53d9539fcbd6d3bbf9c435d03c4a02aa35f8 (patch) | |
| tree | 810e2040eb8fdc7b4a75ac0cb749f0103fc724a1 /libmpdemux | |
| parent | 9eb9112aaa0f38d88601f23529a1a372c6d2a8f1 (diff) | |
| download | mpv-8f8b53d9539fcbd6d3bbf9c435d03c4a02aa35f8.tar.bz2 mpv-8f8b53d9539fcbd6d3bbf9c435d03c4a02aa35f8.tar.xz | |
fix security vulnerability reported by iDEFENSE
git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@14160 b3059339-0415-0410-9bf9-f77b7e298cf2
Diffstat (limited to 'libmpdemux')
| -rw-r--r-- | libmpdemux/realrtsp/real.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/libmpdemux/realrtsp/real.c b/libmpdemux/realrtsp/real.c index ae6e6fdbc0..3d02dd7564 100644 --- a/libmpdemux/realrtsp/real.c +++ b/libmpdemux/realrtsp/real.c @@ -691,6 +691,8 @@ int convert_timestamp(char *str, int *sec, int *msec) { return 1; } +//! maximum size of the rtsp description, must be < INT_MAX +#define MAX_DESC_BUF (20 * 1024 * 1024) rmff_header_t *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwidth) { char *description=NULL; @@ -741,13 +743,21 @@ rmff_header_t *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwid else size=atoi(rtsp_search_answers(rtsp_session,"Content-length")); + // as size is unsigned this also catches the case (size < 0) + if (size > MAX_DESC_BUF) { + printf("real: Content-length for description too big (> %uMB)!\n", + MAX_DESC_BUF/(1024*1024) ); + xbuffer_free(buf); + return NULL; + } + if (!rtsp_search_answers(rtsp_session,"ETag")) printf("real: got no ETag!\n"); else session_id=strdup(rtsp_search_answers(rtsp_session,"ETag")); #ifdef LOG - printf("real: Stream description size: %i\n", size); + printf("real: Stream description size: %u\n", size); #endif description=malloc(sizeof(char)*(size+1)); |