From 343d83d5a694c7a6f10a2b8a8c70839d9bbb9d57 Mon Sep 17 00:00:00 2001
From: reimar <reimar@b3059339-0415-0410-9bf9-f77b7e298cf2>
Date: Wed, 15 Dec 2004 19:12:46 +0000
Subject: fix a problem pointed out by iDEFENSE and several similar ones.

git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@14164 b3059339-0415-0410-9bf9-f77b7e298cf2
---
 libmpdemux/asf_mmst_streaming.c | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

(limited to 'libmpdemux')

diff --git a/libmpdemux/asf_mmst_streaming.c b/libmpdemux/asf_mmst_streaming.c
index 626aceae6b..bc337dc4ad 100644
--- a/libmpdemux/asf_mmst_streaming.c
+++ b/libmpdemux/asf_mmst_streaming.c
@@ -42,6 +42,7 @@
 #include "network.h"
 
 #define BUF_SIZE 102400
+#define HDR_BUF_SIZE 8192
 
 typedef struct 
 {
@@ -216,6 +217,11 @@ static int get_header (int s, uint8_t *header, streaming_ctrl_t *streaming_ctrl)
 
 //      printf ("asf header packet detected, len=%d\n", packet_len);
 
+      if (packet_len < 0 || packet_len > HDR_BUF_SIZE - header_len) {
+        mp_msg(MSGT_NETWORK, MSGL_FATAL, "Invalid header size, giving up\n");
+        return 0;
+      }
+
       if (!get_data (s, &header[header_len], packet_len)) {
 	printf ("header data read failed\n");
 	return 0;
@@ -250,6 +256,12 @@ static int get_header (int s, uint8_t *header, streaming_ctrl_t *streaming_ctrl)
       packet_len = get_32 ((unsigned char*)&packet_len, 0) + 4;
       
 //      printf ("command packet detected, len=%d\n", packet_len);
+
+      if (packet_len < 0 || packet_len > BUF_SIZE) {
+        mp_msg(MSGT_NETWORK, MSGL_FATAL,
+                "Invalid rtsp packet size, giving up\n");
+        return 0;
+      }
       
       if (!get_data (s, data, packet_len)) {
 	printf ("command data read failed\n");
@@ -361,6 +373,12 @@ static int get_media_packet (int s, int padding, streaming_ctrl_t *stream_ctrl)
 
 //    printf ("asf media packet detected, len=%d\n", packet_len);
 
+    if (packet_len < 0 || packet_len > BUF_SIZE) {
+      mp_msg(MSGT_NETWORK, MSGL_FATAL,
+              "Invalid rtsp packet size, giving up\n");
+      return 0;
+    }
+      
     if (!get_data (s, data, packet_len)) {
       printf ("media data read failed\n");
       return 0;
@@ -380,6 +398,12 @@ static int get_media_packet (int s, int padding, streaming_ctrl_t *stream_ctrl)
 
     packet_len = get_32 ((unsigned char*)&packet_len, 0) + 4;
 
+    if (packet_len < 0 || packet_len > BUF_SIZE) {
+      mp_msg(MSGT_NETWORK, MSGL_FATAL,
+              "Invalid rtsp packet size, giving up\n");
+      return 0;
+    }
+
     if (!get_data (s, data, packet_len)) {
       printf ("command data read failed\n");
       return 0;
@@ -464,7 +488,7 @@ int asf_mmst_streaming_start(stream_t *stream)
 {
   char                 str[1024];
   char                 data[BUF_SIZE];
-  uint8_t              asf_header[8192];
+  uint8_t              asf_header[HDR_BUF_SIZE];
   int                  asf_header_len;
   int                  len, i, packet_length;
   char                *path, *unescpath;
-- 
cgit v1.2.3