# HG changeset patch
# User rtogni
# Date 1171216458 0
# Node ID 80ff3962cef4d0959219ee48d721aa2bf68daf4c
# Parent  d9115ad11744727dfc5df302427e137fdb2e95d7
More boundary checks for fixed-length arrays. Some of them may have been
exploitable.

diff -r d9115ad11744 -r 80ff3962cef4 stream/realrtsp/asmrp.c
--- a/stream/realrtsp/asmrp.c	Sun Feb 11 13:23:13 2007 +0000
+++ b/stream/realrtsp/asmrp.c	Sun Feb 11 17:54:18 2007 +0000
@@ -161,9 +161,11 @@
 
   while ( (p->ch!='"') && (p->ch>=32) ) {
 
-    p->str[l] = p->ch;
+    if(l < ASMRP_MAX_ID - 1)
+      p->str[l++] = p->ch;
+    else
+      mp_msg(MSGT_STREAM, MSGL_ERR, "error: string too long, ignoring char %c.\n", p->ch);
 
-    l++;
     asmrp_getch (p);
   }
   p->str[l]=0;
@@ -183,9 +185,11 @@
   while ( ((p->ch>='A') && (p->ch<='z'))
 	  || ((p->ch>='0') && (p->ch<='9'))) {
 
-    p->str[l] = p->ch;
+    if(l < ASMRP_MAX_ID - 1)
+      p->str[l++] = p->ch;
+    else
+      mp_msg(MSGT_STREAM, MSGL_ERR, "error: identifier too long, ignoring char %c.\n", p->ch);
 
-    l++;
     asmrp_getch (p);
   }
   p->str[l]=0;
@@ -381,6 +385,10 @@
   i = asmrp_find_id (p, s);
 
   if (i<0) {
+    if (p->sym_tab_num == ASMRP_MAX_SYMTAB - 1) {
+      mp_msg(MSGT_STREAM, MSGL_ERR, "sym_tab overflow, ignoring identifier %s\n", s);
+      return 0;
+    }
     i = p->sym_tab_num;
     p->sym_tab_num++;
     p->sym_tab[i].id = strdup (s);