From f3e691cf556bd4ad1338f222ffcf5eaecafd6a24 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Fri, 11 Jan 2008 13:49:08 +0000 Subject: Fix a buffer overflow in the RTSP header-handling code. CVE-2008-0225; ported from mplayer changeset 22821. --- src/input/librtsp/rtsp_session.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/input/librtsp') diff --git a/src/input/librtsp/rtsp_session.c b/src/input/librtsp/rtsp_session.c index f3ddb59bc..5b02282e9 100644 --- a/src/input/librtsp/rtsp_session.c +++ b/src/input/librtsp/rtsp_session.c @@ -148,6 +148,11 @@ connect: rtsp_session->header_left = rtsp_session->header_len = rmff_dump_header(h,rtsp_session->header,HEADER_SIZE); + if (rtsp_session->header_len < 0) { + xprintf (stream->xine, XINE_VERBOSITY_LOG, + _("rtsp_session: rtsp server returned overly-large headers, session can not be established.\n")); + goto session_abort; + } xine_buffer_copyin(rtsp_session->recv, 0, rtsp_session->header, rtsp_session->header_len); rtsp_session->recv_size = rtsp_session->header_len; @@ -157,6 +162,7 @@ connect: { xprintf(stream->xine, XINE_VERBOSITY_LOG, _("rtsp_session: rtsp server type '%s' not supported yet. sorry.\n"), server); + session_abort: rtsp_close(rtsp_session->s); free(server); xine_buffer_free(rtsp_session->recv); -- cgit v1.2.3