From 613c8a88fbdde3545c6e646595ae2882a3b4f382 Mon Sep 17 00:00:00 2001
From: Miguel Freitas <miguelfreitas@users.sourceforge.net>
Date: Fri, 23 Apr 2004 21:59:04 +0000
Subject: some sanity and bounds checking (my own audit) lets hope i didn't
 broke anything

CVS patchset: 6428
CVS date: 2004/04/23 21:59:04
---
 src/input/libreal/real.c         | 48 ++++++++++++++++++++++++++--------------
 src/input/libreal/real.h         |  4 ++--
 src/input/libreal/sdpplin.c      | 16 +++++++++-----
 src/input/librtsp/rtsp_session.c | 14 ++++++++----
 4 files changed, 55 insertions(+), 27 deletions(-)

diff --git a/src/input/libreal/real.c b/src/input/libreal/real.c
index 5df0a8ec0..c3b70b6a5 100644
--- a/src/input/libreal/real.c
+++ b/src/input/libreal/real.c
@@ -17,7 +17,7 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA
  *
- * $Id: real.c,v 1.15 2004/04/22 15:23:55 hadess Exp $
+ * $Id: real.c,v 1.16 2004/04/23 21:59:04 miguelfreitas Exp $
  *
  * special functions for real streams.
  * adopted from joschkas real tools.
@@ -379,7 +379,7 @@ void real_calc_response_and_checksum (char *response, char *chksum, char *challe
  * returns a pointer to selected data and number of bytes in that.
  */
 
-static int select_mlti_data(const char *mlti_chunk, int mlti_size, int selection, char *out) {
+static int select_mlti_data(const char *mlti_chunk, int mlti_size, int selection, char **out) {
 
   int numrules, codec, size;
   int i;
@@ -392,7 +392,7 @@ static int select_mlti_data(const char *mlti_chunk, int mlti_size, int selection
       ||(mlti_chunk[3] != 'I'))
   {
     lprintf("MLTI tag not detected, copying data\n");
-    memcpy(out, mlti_chunk, mlti_size);
+    xine_buffer_copyin(*out, 0, mlti_chunk, mlti_size);
     return mlti_size;
   }
 
@@ -433,7 +433,7 @@ static int select_mlti_data(const char *mlti_chunk, int mlti_size, int selection
 #ifdef LOG
   xine_hexdump(mlti_chunk+4, size);
 #endif
-  memcpy(out,mlti_chunk+4, size);
+  xine_buffer_copyin(*out, 0, mlti_chunk+4, size);
   return size;
 }
 
@@ -445,7 +445,7 @@ rmff_header_t *real_parse_sdp(char *data, char *stream_rules, uint32_t bandwidth
 
   sdpplin_t *desc;
   rmff_header_t *header;
-  char buf[2048];
+  char *buf;
   int len, i;
   int max_bit_rate=0;
   int avg_bit_rate=0;
@@ -459,7 +459,8 @@ rmff_header_t *real_parse_sdp(char *data, char *stream_rules, uint32_t bandwidth
   desc=sdpplin_parse(data);
 
   if (!desc) return NULL;
-  
+ 
+  buf=xine_buffer_init(2048);
   header = xine_xmalloc(sizeof(rmff_header_t));
 
   header->fileheader=rmff_new_fileheader(4+desc->stream_count);
@@ -485,12 +486,12 @@ rmff_header_t *real_parse_sdp(char *data, char *stream_rules, uint32_t bandwidth
     for (j=0; j<n; j++) {
       lprintf("asmrp rule match: %u for stream %u\n", rulematches[j], desc->stream[i]->stream_id);
       sprintf(b,"stream=%u;rule=%u,", desc->stream[i]->stream_id, rulematches[j]);
-      strcat(stream_rules, b);
+      xine_buffer_strcat(stream_rules, b);
     }
 
     if (!desc->stream[i]->mlti_data) return NULL;
 
-    len=select_mlti_data(desc->stream[i]->mlti_data, desc->stream[i]->mlti_data_size, rulematches[0], buf);
+    len=select_mlti_data(desc->stream[i]->mlti_data, desc->stream[i]->mlti_data_size, rulematches[0], &buf);
     
     header->streams[i]=rmff_new_mdpr(
 	desc->stream[i]->stream_id,
@@ -516,7 +517,7 @@ rmff_header_t *real_parse_sdp(char *data, char *stream_rules, uint32_t bandwidth
       avg_packet_size=desc->stream[i]->avg_packet_size;
   }
   
-  if (stream_rules)
+  if (stream_rules && strlen(stream_rules) && stream_rules[strlen(stream_rules)-1] == ',')
     stream_rules[strlen(stream_rules)-1]=0; /* delete last ',' in stream_rules */
 
   header->prop=rmff_new_prop(
@@ -533,11 +534,12 @@ rmff_header_t *real_parse_sdp(char *data, char *stream_rules, uint32_t bandwidth
       desc->flags);
 
   rmff_fix_header(header);
+  xine_buffer_free(buf);
 
   return header;
 }
 
-int real_get_rdt_chunk(rtsp_t *rtsp_session, char *buffer) {
+int real_get_rdt_chunk(rtsp_t *rtsp_session, char **buffer) {
 
   int n=1;
   uint8_t header[8];
@@ -594,9 +596,10 @@ int real_get_rdt_chunk(rtsp_t *rtsp_session, char *buffer) {
   ph.timestamp=ts;
   ph.reserved=0;
   ph.flags=0;      /* TODO: determine keyframe flag and insert here? */
-  rmff_dump_pheader(&ph, buffer);
+  xine_buffer_ensure_size(*buffer, 12+size);
+  rmff_dump_pheader(&ph, *buffer);
   size-=12;
-  n=rtsp_read_data(rtsp_session, buffer+12, size);
+  n=rtsp_read_data(rtsp_session, (*buffer)+12, size);
   
   return n+12;
 }
@@ -609,8 +612,8 @@ rmff_header_t  *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwid
   char *challenge1;
   char challenge2[64];
   char checksum[34];
-  char subscribe[256];
-  char buf[256];
+  char *subscribe;
+  char *buf=xine_buffer_init(256);
   char *mrl=rtsp_get_mrl(rtsp_session);
   unsigned int size;
   int status;
@@ -638,6 +641,7 @@ rmff_header_t  *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwid
       lprintf("real: got message from server:\n%s\n", alert);
     }
     rtsp_send_ok(rtsp_session);
+    xine_buffer_free(buf);
     return NULL;
   }
 
@@ -661,9 +665,14 @@ rmff_header_t  *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwid
   description[size]=0;
 
   /* parse sdp (sdpplin) and create a header and a subscribe string */
+  subscribe=xine_buffer_init(256);
   strcpy(subscribe, "Subscribe: ");
-  h=real_parse_sdp(description, subscribe+11, bandwidth);
-  if (!h) return NULL;
+  h=real_parse_sdp(description, subscribe, bandwidth);
+  if (!h) {
+    xine_buffer_free(subscribe);
+    xine_buffer_free(buf);
+    return NULL;
+  }
   rmff_fix_header(h);
 
   lprintf("Title: %s\nCopyright: %s\nAuthor: %s\nStreams: %i\n",
@@ -671,19 +680,24 @@ rmff_header_t  *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwid
   
   /* setup our streams */
   real_calc_response_and_checksum (challenge2, checksum, challenge1);
+  xine_buffer_ensure_size(buf, strlen(challenge2) + strlen(checksum) + 32);
   sprintf(buf, "RealChallenge2: %s, sd=%s", challenge2, checksum);
   rtsp_schedule_field(rtsp_session, buf);
+  xine_buffer_ensure_size(buf, strlen(session_id) + 32);
   sprintf(buf, "If-Match: %s", session_id);
   rtsp_schedule_field(rtsp_session, buf);
   rtsp_schedule_field(rtsp_session, "Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play");
+  xine_buffer_ensure_size(buf, strlen(mrl) + 32);
   sprintf(buf, "%s/streamid=0", mrl);
   rtsp_request_setup(rtsp_session,buf);
 
   if (h->prop->num_streams > 1) {
     rtsp_schedule_field(rtsp_session, "Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play");
+    xine_buffer_ensure_size(buf, strlen(session_id) + 32);
     sprintf(buf, "If-Match: %s", session_id);
     rtsp_schedule_field(rtsp_session, buf);
 
+    xine_buffer_ensure_size(buf, strlen(mrl) + 32);
     sprintf(buf, "%s/streamid=1", mrl);
     rtsp_request_setup(rtsp_session,buf);
   }
@@ -695,6 +709,8 @@ rmff_header_t  *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwid
   rtsp_schedule_field(rtsp_session, "Range: npt=0-");
   rtsp_request_play(rtsp_session,NULL);
 
+  xine_buffer_free(subscribe);
+  xine_buffer_free(buf);
   return h;
 }
 
diff --git a/src/input/libreal/real.h b/src/input/libreal/real.h
index 4d714d42f..3cdf6fe01 100644
--- a/src/input/libreal/real.h
+++ b/src/input/libreal/real.h
@@ -17,7 +17,7 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA
  *
- * $Id: real.h,v 1.3 2003/12/09 00:02:30 f1rmb Exp $
+ * $Id: real.h,v 1.4 2004/04/23 21:59:04 miguelfreitas Exp $
  *
  * special functions for real streams.
  * adopted from joschkas real tools.
@@ -41,7 +41,7 @@
  * (RealChallenge1 in rtsp). See implementation for details.
  */
 void real_calc_response_and_checksum (char *response, char *chksum, char *challenge);
-int real_get_rdt_chunk(rtsp_t *rtsp_session, char *buffer);
+int real_get_rdt_chunk(rtsp_t *rtsp_session, char **buffer);
 rmff_header_t *real_parse_sdp(char *data, char *stream_rules, uint32_t bandwidth);
 rmff_header_t *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwidth);
 
diff --git a/src/input/libreal/sdpplin.c b/src/input/libreal/sdpplin.c
index 5dbff3812..91aa133fa 100644
--- a/src/input/libreal/sdpplin.c
+++ b/src/input/libreal/sdpplin.c
@@ -17,7 +17,7 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA
  *
- * $Id: sdpplin.c,v 1.4 2003/12/09 00:02:30 f1rmb Exp $
+ * $Id: sdpplin.c,v 1.5 2004/04/23 21:59:04 miguelfreitas Exp $
  *
  * sdp/sdpplin parser.
  *
@@ -94,13 +94,19 @@ static char *b64_decode(const char *in, char *out, int *size)
 
 static char *nl(char *data) {
 
-  return strchr(data,'\n')+1;
+  char *nlptr = (data) ? strchr(data,'\n') : NULL;
+  return (nlptr) ? nlptr + 1 : NULL;
 }
 
 static int filter(const char *in, const char *filter, char **out) {
 
   int flen=strlen(filter);
-  int len=strchr(in,'\n')-in;
+  int len;
+  
+  if (!in)
+    return 0;
+  
+  len = (strchr(in,'\n')) ? strchr(in,'\n')-in : strlen(in);
 
   if (!strncmp(in,filter,flen))
   {
@@ -133,7 +139,7 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) {
   }
   *data=nl(*data);
 
-  while (**data && *data[0]!='m') {
+  while (*data && **data && *data[0]!='m') {
 
     handled=0;
     
@@ -232,7 +238,7 @@ sdpplin_t *sdpplin_parse(char *data) {
   int              handled;
   int              len;
 
-  while (*data) {
+  while (data && *data) {
 
     handled=0;
     
diff --git a/src/input/librtsp/rtsp_session.c b/src/input/librtsp/rtsp_session.c
index 42994cc1e..a6bcfe370 100644
--- a/src/input/librtsp/rtsp_session.c
+++ b/src/input/librtsp/rtsp_session.c
@@ -17,7 +17,7 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA
  *
- * $Id: rtsp_session.c,v 1.14 2003/12/09 00:02:31 f1rmb Exp $
+ * $Id: rtsp_session.c,v 1.15 2004/04/23 21:59:04 miguelfreitas Exp $
  *
  * high level interface to rtsp servers.
  */
@@ -53,7 +53,7 @@ struct rtsp_session_s {
   rtsp_t       *s;
 
   /* receive buffer */
-  uint8_t       recv[BUF_SIZE];
+  uint8_t       *recv;
   int           recv_size;
   int           recv_read;
 
@@ -72,6 +72,8 @@ rtsp_session_t *rtsp_session_start(xine_stream_t *stream, char *mrl) {
   rmff_header_t *h;
   uint32_t bandwidth=10485800;
 
+  rtsp_session->recv = xine_buffer_init(BUF_SIZE);
+      
 connect:
 
   /* connect to server */
@@ -80,6 +82,7 @@ connect:
   {
     xprintf(stream->xine, XINE_VERBOSITY_LOG,
 	    _("rtsp_session: failed to connect to server %s\n"), mrl_line);
+    xine_buffer_free(rtsp_session->recv);
     free(rtsp_session);
     return NULL;
   }
@@ -114,6 +117,7 @@ connect:
         xprintf(stream->xine, XINE_VERBOSITY_LOG,
 		_("rtsp_session: session can not be established.\n"));
         rtsp_close(rtsp_session->s);
+        xine_buffer_free(rtsp_session->recv);
         free(rtsp_session);
         return NULL;
       }
@@ -121,7 +125,7 @@ connect:
 	
     rtsp_session->header_len=rmff_dump_header(h,rtsp_session->header,1024);
 
-    memcpy(rtsp_session->recv, rtsp_session->header, rtsp_session->header_len);
+    xine_buffer_copyin(rtsp_session->recv, 0, rtsp_session->header, rtsp_session->header_len);
     rtsp_session->recv_size = rtsp_session->header_len;
     rtsp_session->recv_read = 0;
     
@@ -131,6 +135,7 @@ connect:
 	    _("rtsp_session: rtsp server type '%s' not supported yet. sorry.\n"), server);
     rtsp_close(rtsp_session->s);
     free(server);
+    xine_buffer_free(rtsp_session->recv);
     free(rtsp_session);
     return NULL;
   }
@@ -153,8 +158,8 @@ int rtsp_session_read (rtsp_session_t *this, char *data, int len) {
     to_copy -= fill;
     dest += fill;
     this->recv_read = 0;
+    this->recv_size = real_get_rdt_chunk (this->s, &this->recv);
     source = this->recv;
-    this->recv_size = real_get_rdt_chunk (this->s, source);
     fill = this->recv_size;
 
     if (this->recv_size == 0) {
@@ -185,5 +190,6 @@ int rtsp_session_peek_header(rtsp_session_t *this, char *buf, int maxsize) {
 void rtsp_session_end(rtsp_session_t *session) {
 
   rtsp_close(session->s);
+  xine_buffer_free(session->recv);
   free(session);
 }
-- 
cgit v1.2.3