Changeset f351efa7d22645625d20204f86a44b194fde8352
- Timestamp:
- 03/19/08 16:31:07
(2 months ago)
- Author:
- Pavlov Konstantin <thresh@altlinux.ru>
- git-committer:
- Pavlov Konstantin <thresh@altlinux.ru> 1205940667 +0300
- git-parent:
[16c69ade84edabaf8c861f1e4f478ae815f94970]
- git-author:
- Pavlov Konstantin <thresh@altlinux.ru> 1205940667 +0300
- Message:
Fix Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073). (closes #1531).
Thanks to Alin Rad Pop, Secunia Research.
Ported from libxine.
-
Files:
-
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
| r9630c00 |
rf351efa |
|
| 139 | 139 | |
|---|
| 140 | 140 | if(filter(*data,"a=control:streamid=",&buf, BUFLEN)) { |
|---|
| 141 | | desc->stream_id=atoi(buf); |
|---|
| 142 | | handled=1; |
|---|
| 143 | | *data=nl(*data); |
|---|
| | 141 | /* This way negative values are mapped to unfeasibly high |
|---|
| | 142 | * values, and will be discarded afterward |
|---|
| | 143 | */ |
|---|
| | 144 | unsigned long tmp = strtoul(buf, NULL, 10); |
|---|
| | 145 | if ( tmp > UINT16_MAX ) |
|---|
| | 146 | lprintf("stream id out of bound: %lu\n", tmp); |
|---|
| | 147 | else |
|---|
| | 148 | desc->stream_id=tmp; |
|---|
| | 149 | handled=1; |
|---|
| | 150 | *data=nl(*data); |
|---|
| 144 | 151 | } |
|---|
| 145 | 152 | if(filter(*data,"a=MaxBitRate:integer;",&buf, BUFLEN)) { |
|---|
| … | … | |
| 255 | 262 | stream=sdpplin_parse_stream(&data); |
|---|
| 256 | 263 | lprintf("got data for stream id %u\n", stream->stream_id); |
|---|
| 257 | | desc->stream[stream->stream_id]=stream; |
|---|
| | 264 | if ( stream->stream_id >= desc->stream_count ) |
|---|
| | 265 | lprintf("stream id %u is greater than stream count %u\n", stream->stream_id, desc->stream_count); |
|---|
| | 266 | else |
|---|
| | 267 | desc->stream[stream->stream_id]=stream; |
|---|
| 258 | 268 | continue; |
|---|
| 259 | 269 | } |
|---|
| … | … | |
| 291 | 301 | } |
|---|
| 292 | 302 | if(filter(data,"a=StreamCount:integer;",&buf, BUFLEN)) { |
|---|
| 293 | | desc->stream_count=atoi(buf); |
|---|
| 294 | | desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count); |
|---|
| 295 | | handled=1; |
|---|
| 296 | | data=nl(data); |
|---|
| | 303 | /* This way negative values are mapped to unfeasibly high |
|---|
| | 304 | * values, and will be discarded afterward |
|---|
| | 305 | */ |
|---|
| | 306 | unsigned long tmp = strtoul(buf, NULL, 10); |
|---|
| | 307 | if ( tmp > UINT16_MAX ) |
|---|
| | 308 | lprintf("stream count out of bound: %lu\n", tmp); |
|---|
| | 309 | else |
|---|
| | 310 | desc->stream_count = tmp; |
|---|
| | 311 | desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count); |
|---|
| | 312 | handled=1; |
|---|
| | 313 | data=nl(data); |
|---|
| 297 | 314 | } |
|---|
| 298 | 315 | if(filter(data,"a=Flags:integer;",&buf, BUFLEN)) { |
|---|
| r2cb472d |
rf351efa |
|
| 32 | 32 | char *bandwidth; |
|---|
| 33 | 33 | |
|---|
| 34 | | int stream_id; |
|---|
| | 34 | uint16_t stream_id; |
|---|
| 35 | 35 | char *range; |
|---|
| 36 | 36 | char *length; |
|---|
| … | … | |
| 76 | 76 | int flags; |
|---|
| 77 | 77 | int is_real_data_type; |
|---|
| 78 | | int stream_count; |
|---|
| | 78 | uint16_t stream_count; |
|---|
| 79 | 79 | char *title; |
|---|
| 80 | 80 | char *author; |
|---|
