changeset 22185:80ff3962cef4

More boundary checks for fixed-length arrays. Some of them may have been exploitable.
author rtogni
date Sun, 11 Feb 2007 17:54:18 +0000
parents d9115ad11744
children c6edb6c59a7a
files stream/realrtsp/asmrp.c
diffstat 1 files changed, 12 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/stream/realrtsp/asmrp.c	Sun Feb 11 13:23:13 2007 +0000
+++ b/stream/realrtsp/asmrp.c	Sun Feb 11 17:54:18 2007 +0000
@@ -161,9 +161,11 @@
 
   while ( (p->ch!='"') && (p->ch>=32) ) {
 
-    p->str[l] = p->ch;
+    if(l < ASMRP_MAX_ID - 1)
+      p->str[l++] = p->ch;
+    else
+      mp_msg(MSGT_STREAM, MSGL_ERR, "error: string too long, ignoring char %c.\n", p->ch);
 
-    l++;
     asmrp_getch (p);
   }
   p->str[l]=0;
@@ -183,9 +185,11 @@
   while ( ((p->ch>='A') && (p->ch<='z'))
 	  || ((p->ch>='0') && (p->ch<='9'))) {
 
-    p->str[l] = p->ch;
+    if(l < ASMRP_MAX_ID - 1)
+      p->str[l++] = p->ch;
+    else
+      mp_msg(MSGT_STREAM, MSGL_ERR, "error: identifier too long, ignoring char %c.\n", p->ch);
 
-    l++;
     asmrp_getch (p);
   }
   p->str[l]=0;
@@ -381,6 +385,10 @@
   i = asmrp_find_id (p, s);
 
   if (i<0) {
+    if (p->sym_tab_num == ASMRP_MAX_SYMTAB - 1) {
+      mp_msg(MSGT_STREAM, MSGL_ERR, "sym_tab overflow, ignoring identifier %s\n", s);
+      return 0;
+    }
     i = p->sym_tab_num;
     p->sym_tab_num++;
     p->sym_tab[i].id = strdup (s);