[vlc-commits] realrtsp: fixed bufferoverflow and off-by-one

Fri, 26 Feb 2016 08:49:13 -0800 

vlc | branch: master | Filip Roséen <[email protected]> | Thu Feb 25 10:12:32 2016 
+0100| [a9bf85e5fd80489b3e8c1d8badb7d50c90387f6d] | committer: Jean-Baptiste 
Kempf

realrtsp: fixed bufferoverflow and off-by-one

- `strchr` can return `NULL`
- `data` is a pointer to a buffer which has a length that depends on
  the previous read of `Content-Header`.

Signed-off-by: Jean-Baptiste Kempf <[email protected]>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=a9bf85e5fd80489b3e8c1d8badb7d50c90387f6d
---

 modules/access/rtsp/real_sdpplin.c |   26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/modules/access/rtsp/real_sdpplin.c 
b/modules/access/rtsp/real_sdpplin.c
index 0f56ce8..4119795 100644
--- a/modules/access/rtsp/real_sdpplin.c
+++ b/modules/access/rtsp/real_sdpplin.c
@@ -32,6 +32,14 @@ static inline char *nl(char *data) {
   return (nlptr) ? nlptr + 1 : NULL;
 }
 
+static inline int line_length(char * data) {
+  char const * p = nl(data);
+  if (p) {
+    return p - data - 1;
+  }
+  return strlen(data);
+}
+
 static int filter(access_t *p_access, const char *in, const char *filter, char 
**out, size_t outlen) {
 
   int flen=strlen(filter);
@@ -158,12 +166,13 @@ static sdpplin_stream_t *sdpplin_parse_stream(access_t 
*p_access, char **data) {
 
     if(!handled) {
 #ifdef LOG
-      int len=strchr(*data,'\n')-(*data);
-      memcpy(buf, *data, len+1);
-      buf[len]=0;
-      msg_Warn(p_access, "libreal: sdpplin: not handled: '%s'\n", buf);
+      int len = line_length(*data);
+      ;   len = len < BUFLEN ? len : BUFLEN-1;
+      buf[len] = '\0';
+      strncpy (buf, *data, len);
+      msg_Warn(p_access, "libreal: sdpplin: not handled: '%s'", buf);
 #endif
-      *data=nl(*data);
+      *data=nl(*data); /* always move to next line */
     }
   }
   free( buf );
@@ -272,9 +281,10 @@ sdpplin_t *sdpplin_parse(access_t *p_access, char *data)
 
     if(!handled) {
 #ifdef LOG
-      int len=strchr(data,'\n')-data;
-      memcpy(buf, data, len+1);
-      buf[len]=0;
+      int len = line_length(data);
+      ;   len = len < BUFLEN ? len : BUFLEN-1;
+      buf[len] = '\0';
+      strncpy (buf, data, len);
       msg_Warn(p_access, "libreal: sdpplin: not handled: '%s'", buf);
 #endif
       data=nl(data);

_______________________________________________
vlc-commits mailing list
[email protected]
https://mailman.videolan.org/listinfo/vlc-commits

Reply via email to