# HG changeset patch # User rtognimp # Date 1082852243 0 # Node ID 4adb4a3b52a27dfe056d44b17f78ddf39c447b86 # Parent 24c13ef4f42bcd89d34542e7c675b2d92422efc4 More bounds checking fixes (thnaks to Miguel Freitas) diff -r 24c13ef4f42b -r 4adb4a3b52a2 libmpdemux/realrtsp/real.c --- a/libmpdemux/realrtsp/real.c Sat Apr 24 13:22:05 2004 +0000 +++ b/libmpdemux/realrtsp/real.c Sun Apr 25 00:17:23 2004 +0000 @@ -661,7 +661,7 @@ size-=12; n=rtsp_read_data(rtsp_session, (*buffer)+12, size); - return n+12; + return (n <= 0) ? 0 : n+12; } int convert_timestamp(char *str, int *sec, int *msec) { @@ -744,7 +744,10 @@ description=malloc(sizeof(char)*(size+1)); - rtsp_read_data(rtsp_session, description, size); + if( rtsp_read_data(rtsp_session, description, size) <= 0) { + buf = xbuffer_free(buf); + return NULL; + } description[size]=0; /* parse sdp (sdpplin) and create a header and a subscribe string */ diff -r 24c13ef4f42b -r 4adb4a3b52a2 libmpdemux/realrtsp/rtsp.c --- a/libmpdemux/realrtsp/rtsp.c Sat Apr 24 13:22:05 2004 +0000 +++ b/libmpdemux/realrtsp/rtsp.c Sun Apr 25 00:17:23 2004 +0000 @@ -73,8 +73,6 @@ unsigned int server_state; uint32_t server_caps; - char buffer[BUF_SIZE]; /* scratch buffer */ - unsigned int cseq; char *session; @@ -271,11 +269,12 @@ static char *rtsp_get(rtsp_t *s) { int n=0; - char *string; + char *buffer = malloc(BUF_SIZE); + char *string = NULL; while (ns, &s->buffer[n], 1); - if ((s->buffer[n-1]==0x0d)&&(s->buffer[n]==0x0a)) break; + read_stream(s->s, &(buffer[n]), 1); + if ((buffer[n-1]==0x0d)&&(buffer[n]==0x0a)) break; n++; } @@ -284,7 +283,7 @@ exit(1); } string=malloc(sizeof(char)*n); - memcpy(string,s->buffer,n-1); + memcpy(string,buffer,n-1); string[n-1]=0; #ifdef LOG @@ -292,6 +291,7 @@ #endif + free(buffer); return string; } @@ -352,8 +352,13 @@ static void rtsp_send_request(rtsp_t *s, const char *type, const char *what) { char **payload=s->scheduled; - sprintf(s->buffer,"%s %s %s",type, what, rtsp_protocol_version); - rtsp_put(s,s->buffer); + char *buf; + + buf = malloc(strlen(type)+strlen(what)+strlen(rtsp_protocol_version)+3); + + sprintf(buf,"%s %s %s",type, what, rtsp_protocol_version); + rtsp_put(s,buf); + free(buf); if (payload) while (*payload) { rtsp_put(s,*payload); @@ -369,11 +374,17 @@ static void rtsp_schedule_standard(rtsp_t *s) { - sprintf(s->buffer, "Cseq: %u", s->cseq); - rtsp_schedule_field(s, s->buffer); + char tmp[16]; + + snprintf(tmp, 16, "Cseq: %u", s->cseq); + rtsp_schedule_field(s, tmp); + if (s->session) { - sprintf(s->buffer, "Session: %s", s->session); - rtsp_schedule_field(s, s->buffer); + char *buf; + buf = malloc(strlen(s->session)+15); + sprintf(buf, "Session: %s", s->session); + rtsp_schedule_field(s, buf); + free(buf); } } /* @@ -388,6 +399,8 @@ int code; answer=rtsp_get(s); + if (!answer) + return 0; code=rtsp_get_code(answer); free(answer); @@ -396,6 +409,8 @@ do { /* while we get answer lines */ answer=rtsp_get(s); + if (!answer) + return 0; if (!strncmp(answer,"Cseq:",5)) { sscanf(answer,"Cseq: %u",&answer_seq); @@ -407,26 +422,29 @@ } } if (!strncmp(answer,"Server:",7)) { - sscanf(answer,"Server: %s",s->buffer); + char *buf = malloc(strlen(answer)); + sscanf(answer,"Server: %s",buf); if (s->server) free(s->server); - s->server=strdup(s->buffer); + s->server=strdup(buf); + free(buf); } if (!strncmp(answer,"Session:",8)) { - memset(s->buffer,0, BUF_SIZE); - sscanf(answer,"Session: %s",s->buffer); + char *buf = calloc(1, strlen(answer)); + sscanf(answer,"Session: %s",buf); if (s->session) { - if (strcmp(s->buffer, s->session)) { - printf("rtsp: warning: setting NEW session: %s\n", s->buffer); + if (strcmp(buf, s->session)) { + printf("rtsp: warning: setting NEW session: %s\n", buf); free(s->session); - s->session=strdup(s->buffer); + s->session=strdup(buf); } } else { #ifdef LOG - printf("rtsp: setting session id to: %s\n", s->buffer); + printf("rtsp: setting session id to: %s\n", s->buf); #endif - s->session=strdup(s->buffer); + s->session=strdup(buf); } + free(buf); } *answer_ptr=answer; answer_ptr++; @@ -555,13 +573,15 @@ if ((buffer[0]=='S')&&(buffer[1]=='E')&&(buffer[2]=='T')&&(buffer[3]=='_')) { char *rest=rtsp_get(s); - /* a real server wanna play table tennis? */ - memcpy(s->buffer, buffer, 4); - strcpy(s->buffer+4, rest); + if (!rest) + return -1; + seq=-1; do { free(rest); rest=rtsp_get(s); + if (!rest) + return -1; if (!strncmp(rest,"Cseq:",5)) sscanf(rest,"Cseq: %u",&seq); } while (strlen(rest)!=0);