diff options
| author | Diego 'Flameeyes' Pettenò <flameeyes@gmail.com> | 2008-03-11 15:24:55 +0100 |
|---|---|---|
| committer | Diego 'Flameeyes' Pettenò <flameeyes@gmail.com> | 2008-03-11 15:24:55 +0100 |
| commit | d60523d37375659965650be4c695b3d439ded174 (patch) | |
| tree | a1e31276a123b3a0be8cf0d2b6a6f924097afa6b /src | |
| parent | 2e1b0bb57b6ce5e2c19a3a8b735c13ae42ef048c (diff) | |
| download | xine-lib-d60523d37375659965650be4c695b3d439ded174.tar.gz xine-lib-d60523d37375659965650be4c695b3d439ded174.tar.bz2 | |
Fix Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073).
Thanks to Alin Rad Pop, Secunia Research.
Diffstat (limited to 'src')
| -rw-r--r-- | src/input/libreal/sdpplin.c | 23 | ||||
| -rw-r--r-- | src/input/libreal/sdpplin.h | 4 |
2 files changed, 22 insertions, 5 deletions
diff --git a/src/input/libreal/sdpplin.c b/src/input/libreal/sdpplin.c index 5b22e9044..04554c45e 100644 --- a/src/input/libreal/sdpplin.c +++ b/src/input/libreal/sdpplin.c @@ -143,7 +143,14 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) { handled=0; if(filter(*data,"a=control:streamid=",&buf)) { - desc->stream_id=atoi(buf); + /* This way negative values are mapped to unfeasibly high + * values, and will be discarded afterward + */ + unsigned long tmp = strtoul(buf, NULL, 10); + if ( tmp > UINT16_MAX ) + lprintf("stream id out of bound: %lu\n", tmp); + else + desc->stream_id=tmp; handled=1; *data=nl(*data); } @@ -252,7 +259,10 @@ sdpplin_t *sdpplin_parse(char *data) { } stream=sdpplin_parse_stream(&data); lprintf("got data for stream id %u\n", stream->stream_id); - desc->stream[stream->stream_id]=stream; + if ( stream->stream_id >= desc->stream_count ) + lprintf("stream id %u is greater than stream count %u\n", stream->stream_id, desc->stream_count); + else + desc->stream[stream->stream_id]=stream; continue; } @@ -293,7 +303,14 @@ sdpplin_t *sdpplin_parse(char *data) { } if(filter(data,"a=StreamCount:integer;",&buf)) { - desc->stream_count=atoi(buf); + /* This way negative values are mapped to unfeasibly high + * values, and will be discarded afterward + */ + unsigned long tmp = strtoul(buf, NULL, 10); + if ( tmp > UINT16_MAX ) + lprintf("stream count out of bound: %lu\n", tmp); + else + desc->stream_count = tmp; desc->stream = calloc(desc->stream_count, sizeof(sdpplin_stream_t*)); handled=1; data=nl(data); diff --git a/src/input/libreal/sdpplin.h b/src/input/libreal/sdpplin.h index cb3b434d4..72cbaf731 100644 --- a/src/input/libreal/sdpplin.h +++ b/src/input/libreal/sdpplin.h @@ -37,7 +37,7 @@ typedef struct { char *id; char *bandwidth; - int stream_id; + uint16_t stream_id; char *range; char *length; char *rtpmap; @@ -81,7 +81,7 @@ typedef struct { int flags; int is_real_data_type; - int stream_count; + uint16_t stream_count; char *title; char *author; char *copyright; |