On 03/29/2012 03:03 PM, Tanu Kaskinen wrote:
pa_atou() return value was not checked, and the cast of a
16-bit variable pointer to a 32-bit variable pointer could
corrupt cseq.
Good catch. Ack.
---
src/modules/rtp/rtsp_client.c | 12 ++++++++++--
1 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/modules/rtp/rtsp_client.c b/src/modules/rtp/rtsp_client.c
index 71692c2..675b5d4 100644
--- a/src/modules/rtp/rtsp_client.c
+++ b/src/modules/rtp/rtsp_client.c
@@ -143,9 +143,17 @@ static void headers_read(pa_rtsp_client *c) {
/* Now parse out the server port component of the response. */
while ((token = pa_split(c->transport, delimiters,&token_state))) {
- if ((pc = strstr(token, "="))) {
+ if ((pc = strchr(token, '='))) {
if (0 == strncmp(token, "server_port", 11)) {
- pa_atou(pc+1, (uint32_t*)(&c->rtp_port));
+ uint32_t p;
+
+ if (pa_atou(pc + 1,&p)< 0 || p<= 0 || p>= 0x10000) {
+ pa_log("Invalid SETUP response (invalid
server_port).");
+ pa_xfree(token);
+ return;
+ }
+
+ c->rtp_port = p;
pa_xfree(token);
break;
}
--
David Henningsson, Canonical Ltd.
http://launchpad.net/~diwic
_______________________________________________
pulseaudio-discuss mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/pulseaudio-discuss
