Fix a buffer overflow in the RTSP header-handling code.

CVE-2008-0225; ported from mplayer changeset 22821.

1 files changed, 6 insertions, 0 deletions

diff --git a/src/input/librtsp/rtsp_session.c b/src/input/librtsp/rtsp_session.c
index f3ddb59bc..5b02282e9 100644
--- a/src/input/librtsp/rtsp_session.c
+++ b/src/input/librtsp/rtsp_session.c
@@ -148,6 +148,11 @@ connect:
 	
 	  rtsp_session->header_left = 
     rtsp_session->header_len  = rmff_dump_header(h,rtsp_session->header,HEADER_SIZE);
+    if (rtsp_session->header_len < 0) {
+      xprintf (stream->xine, XINE_VERBOSITY_LOG,
+	       _("rtsp_session: rtsp server returned overly-large headers, session can not be established.\n"));
+      goto session_abort;
+    }
 
     xine_buffer_copyin(rtsp_session->recv, 0, rtsp_session->header, rtsp_session->header_len);
     rtsp_session->recv_size = rtsp_session->header_len;
@@ -157,6 +162,7 @@ connect:
   {
     xprintf(stream->xine, XINE_VERBOSITY_LOG,
 	    _("rtsp_session: rtsp server type '%s' not supported yet. sorry.\n"), server);
+    session_abort:
     rtsp_close(rtsp_session->s);
     free(server);
     xine_buffer_free(rtsp_session->recv);