[MPlayer-cvslog] CVS: main/libmpdemux asf_mmst_streaming.c, 1.25, 1.26

Reimar Döffinger CVS syncmail at mplayerhq.hu
Wed Dec 15 20:12:48 CET 2004 

CVS change done by Reimar Döffinger CVS

Update of /cvsroot/mplayer/main/libmpdemux
In directory mail:/var2/tmp/cvs-serv30135/libmpdemux

Modified Files:
	asf_mmst_streaming.c 
Log Message:
fix a problem pointed out by iDEFENSE and several similar ones.


Index: asf_mmst_streaming.c
===================================================================
RCS file: /cvsroot/mplayer/main/libmpdemux/asf_mmst_streaming.c,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- asf_mmst_streaming.c	10 Oct 2004 13:00:56 -0000	1.25
+++ asf_mmst_streaming.c	15 Dec 2004 19:12:46 -0000	1.26
@@ -42,6 +42,7 @@
 #include "network.h"
 
 #define BUF_SIZE 102400
+#define HDR_BUF_SIZE 8192
 
 typedef struct 
 {
@@ -216,6 +217,11 @@
 
 //      printf ("asf header packet detected, len=%d\n", packet_len);
 
+      if (packet_len < 0 || packet_len > HDR_BUF_SIZE - header_len) {
+        mp_msg(MSGT_NETWORK, MSGL_FATAL, "Invalid header size, giving up\n");
+        return 0;
+      }
+
       if (!get_data (s, &header[header_len], packet_len)) {
 	printf ("header data read failed\n");
 	return 0;
@@ -250,6 +256,12 @@
       packet_len = get_32 ((unsigned char*)&packet_len, 0) + 4;
       
 //      printf ("command packet detected, len=%d\n", packet_len);
+
+      if (packet_len < 0 || packet_len > BUF_SIZE) {
+        mp_msg(MSGT_NETWORK, MSGL_FATAL,
+                "Invalid rtsp packet size, giving up\n");
+        return 0;
+      }
       
       if (!get_data (s, data, packet_len)) {
 	printf ("command data read failed\n");
@@ -361,6 +373,12 @@
 
 //    printf ("asf media packet detected, len=%d\n", packet_len);
 
+    if (packet_len < 0 || packet_len > BUF_SIZE) {
+      mp_msg(MSGT_NETWORK, MSGL_FATAL,
+              "Invalid rtsp packet size, giving up\n");
+      return 0;
+    }
+      
     if (!get_data (s, data, packet_len)) {
       printf ("media data read failed\n");
       return 0;
@@ -380,6 +398,12 @@
 
     packet_len = get_32 ((unsigned char*)&packet_len, 0) + 4;
 
+    if (packet_len < 0 || packet_len > BUF_SIZE) {
+      mp_msg(MSGT_NETWORK, MSGL_FATAL,
+              "Invalid rtsp packet size, giving up\n");
+      return 0;
+    }
+
     if (!get_data (s, data, packet_len)) {
       printf ("command data read failed\n");
       return 0;
@@ -464,7 +488,7 @@
 {
   char                 str[1024];
   char                 data[BUF_SIZE];
-  uint8_t              asf_header[8192];
+  uint8_t              asf_header[HDR_BUF_SIZE];
   int                  asf_header_len;
   int                  len, i, packet_length;
   char                *path, *unescpath;

More information about the MPlayer-cvslog mailing list