2c8260b4ae
- MMS: Fix stack overflow. SA-1201 - RealRTSP: Fix heap overflows. SA-1202 - ty: Fix out of bound read on corrupt files. - Avoid char conversion in strchr(). - Fix surrogate detection. from Brad (maintainer)
42 lines
1.2 KiB
Plaintext
42 lines
1.2 KiB
Plaintext
$OpenBSD: patch-modules_access_rtsp_real_c,v 1.1 2012/03/21 08:27:29 ajacoutot Exp $
|
|
|
|
Fix heap overflows. SA-1202
|
|
|
|
--- modules/access/rtsp/real.c.orig Thu Apr 15 12:56:07 2010
|
|
+++ modules/access/rtsp/real.c Tue Mar 20 16:32:47 2012
|
|
@@ -351,6 +351,7 @@ static void real_calc_response_and_checksum (char *res
|
|
chksum[i] = response[i*4];
|
|
}
|
|
|
|
+#define MLTI_BUF_MAX_SIZE 2048
|
|
|
|
/*
|
|
* takes a MLTI-Chunk and a rule number got from match_asm_rule,
|
|
@@ -368,7 +369,7 @@ static int select_mlti_data(const char *mlti_chunk, in
|
|
||(mlti_chunk[3] != 'I'))
|
|
{
|
|
lprintf("MLTI tag not detected, copying data\n");
|
|
- memcpy(*out, mlti_chunk, mlti_size);
|
|
+ memcpy(*out, mlti_chunk, __MIN(mlti_size,MLTI_BUF_MAX_SIZE));
|
|
return mlti_size;
|
|
}
|
|
|
|
@@ -405,7 +406,7 @@ static int select_mlti_data(const char *mlti_chunk, in
|
|
}
|
|
size=BE_32(mlti_chunk);
|
|
|
|
- memcpy(*out, mlti_chunk+4, size);
|
|
+ memcpy(*out, mlti_chunk+4, __MIN(size,MLTI_BUF_MAX_SIZE));
|
|
return size;
|
|
}
|
|
|
|
@@ -430,7 +431,7 @@ static rmff_header_t *real_parse_sdp(char *data, char
|
|
desc=sdpplin_parse(data);
|
|
if( !desc ) return NULL;
|
|
|
|
- buf= (char *)malloc(2048);
|
|
+ buf= (char *)malloc(MLTI_BUF_MAX_SIZE);
|
|
if( !buf ) goto error;
|
|
|
|
header = calloc( 1, sizeof(rmff_header_t) );
|