Fix buffer overrun reported by Roland Kay with JW's patch. Close bug #1603458.

CVS patchset: 8392
CVS date: 2006/11/29 19:43:01

3 files changed, 9 insertions, 9 deletions

diff --git a/src/input/libreal/asmrp.c b/src/input/libreal/asmrp.c
index 466946ad2..5fd5ae798 100644
--- a/src/input/libreal/asmrp.c
+++ b/src/input/libreal/asmrp.c
@@ -17,7 +17,7 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA
  *
- * $Id: asmrp.c,v 1.8 2004/08/27 18:34:16 miguelfreitas Exp $
+ * $Id: asmrp.c,v 1.9 2006/11/29 19:43:01 dgp85 Exp $
  *
  * a parser for real's asm rules
  *
@@ -604,7 +604,7 @@ static int asmrp_rule (asmrp_t *p) {
   return ret;
 }
 
-static int asmrp_eval (asmrp_t *p, int *matches) {
+static int asmrp_eval (asmrp_t *p, int *matches, int matchsize) {
 
   int rule_num, num_matches;
 
@@ -613,7 +613,7 @@ static int asmrp_eval (asmrp_t *p, int *matches) {
   asmrp_get_sym (p);
 
   rule_num = 0; num_matches = 0;
-  while (p->sym != ASMRP_SYM_EOF) {
+  while (p->sym != ASMRP_SYM_EOF && num_matches < matchsize - 1) {
 
     if (asmrp_rule (p)) {
       lprintf ("rule #%d is true\n", rule_num);
@@ -629,7 +629,7 @@ static int asmrp_eval (asmrp_t *p, int *matches) {
   return num_matches;
 }
 
-int asmrp_match (const char *rules, int bandwidth, int *matches) {
+int asmrp_match (const char *rules, int bandwidth, int *matches, int matchsize) {
 
   asmrp_t *p;
   int      num_matches;
@@ -641,7 +641,7 @@ int asmrp_match (const char *rules, int bandwidth, int *matches) {
   asmrp_set_id (p, "Bandwidth", bandwidth);
   asmrp_set_id (p, "OldPNMPlayer", 0);
 
-  num_matches = asmrp_eval (p, matches);
+  num_matches = asmrp_eval (p, matches, matchsize);
 
   asmrp_dispose (p);
 
diff --git a/src/input/libreal/asmrp.h b/src/input/libreal/asmrp.h
index d7239f33d..d787eb330 100644
--- a/src/input/libreal/asmrp.h
+++ b/src/input/libreal/asmrp.h
@@ -17,7 +17,7 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA
  *
- * $Id: asmrp.h,v 1.2 2003/12/09 00:02:30 f1rmb Exp $
+ * $Id: asmrp.h,v 1.3 2006/11/29 19:43:01 dgp85 Exp $
  *
  * a parser for real's asm rules
  *
@@ -37,6 +37,6 @@
 #ifndef HAVE_ASMRP_H
 #define HAVE_ASMRP_H
 
-int asmrp_match (const char *rules, int bandwidth, int *matches) ;
+int asmrp_match (const char *rules, int bandwidth, int *matches, int matchesizxe) ;
 
 #endif
diff --git a/src/input/libreal/real.c b/src/input/libreal/real.c
index f95b754a7..270fd16e4 100644
--- a/src/input/libreal/real.c
+++ b/src/input/libreal/real.c
@@ -17,7 +17,7 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA
  *
- * $Id: real.c,v 1.23 2006/06/20 01:07:58 dgp85 Exp $
+ * $Id: real.c,v 1.24 2006/11/29 19:43:01 dgp85 Exp $
  *
  * special functions for real streams.
  * adopted from joschkas real tools.
@@ -476,7 +476,7 @@ rmff_header_t *real_parse_sdp(char *data, char **stream_rules, uint32_t bandwidt
 
     lprintf("calling asmrp_match with:\n%s\n%u\n", desc->stream[i]->asm_rule_book, bandwidth);
 
-    n=asmrp_match(desc->stream[i]->asm_rule_book, bandwidth, rulematches);
+    n=asmrp_match(desc->stream[i]->asm_rule_book, bandwidth, rulematches, sizeof(rulematches)/sizeof(rulematches[0]));
     for (j=0; j<n; j++) {
       lprintf("asmrp rule match: %u for stream %u\n", rulematches[j], desc->stream[i]->stream_id);
       sprintf(b,"stream=%u;rule=%u,", desc->stream[i]->stream_id, rulematches[j]);