Mercurial > mplayer.hg

changeset 14163:dd835e8f3698

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix a problem pointed out by iDEFENSE and several similar ones.
author reimar
date Wed, 15 Dec 2004 19:12:46 +0000
parents 5f24743d1fb8
children 5901a6392db3
files libmpdemux/asf_mmst_streaming.c
diffstat 1 files changed, 25 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/libmpdemux/asf_mmst_streaming.c	Wed Dec 15 19:01:36 2004 +0000
+++ b/libmpdemux/asf_mmst_streaming.c	Wed Dec 15 19:12:46 2004 +0000
@@ -42,6 +42,7 @@
 #include "network.h"
 
 #define BUF_SIZE 102400
+#define HDR_BUF_SIZE 8192
 
 typedef struct 
 {
@@ -216,6 +217,11 @@
 
 //      printf ("asf header packet detected, len=%d\n", packet_len);
 
+      if (packet_len < 0 || packet_len > HDR_BUF_SIZE - header_len) {
+        mp_msg(MSGT_NETWORK, MSGL_FATAL, "Invalid header size, giving up\n");
+        return 0;
+      }
+
       if (!get_data (s, &header[header_len], packet_len)) {
 	printf ("header data read failed\n");
 	return 0;
@@ -250,6 +256,12 @@
       packet_len = get_32 ((unsigned char*)&packet_len, 0) + 4;
       
 //      printf ("command packet detected, len=%d\n", packet_len);
+
+      if (packet_len < 0 || packet_len > BUF_SIZE) {
+        mp_msg(MSGT_NETWORK, MSGL_FATAL,
+                "Invalid rtsp packet size, giving up\n");
+        return 0;
+      }
       
       if (!get_data (s, data, packet_len)) {
 	printf ("command data read failed\n");
@@ -361,6 +373,12 @@
 
 //    printf ("asf media packet detected, len=%d\n", packet_len);
 
+    if (packet_len < 0 || packet_len > BUF_SIZE) {
+      mp_msg(MSGT_NETWORK, MSGL_FATAL,
+              "Invalid rtsp packet size, giving up\n");
+      return 0;
+    }
+      
     if (!get_data (s, data, packet_len)) {
       printf ("media data read failed\n");
       return 0;
@@ -380,6 +398,12 @@
 
     packet_len = get_32 ((unsigned char*)&packet_len, 0) + 4;
 
+    if (packet_len < 0 || packet_len > BUF_SIZE) {
+      mp_msg(MSGT_NETWORK, MSGL_FATAL,
+              "Invalid rtsp packet size, giving up\n");
+      return 0;
+    }
+
     if (!get_data (s, data, packet_len)) {
       printf ("command data read failed\n");
       return 0;
@@ -464,7 +488,7 @@
 {
   char                 str[1024];
   char                 data[BUF_SIZE];
-  uint8_t              asf_header[8192];
+  uint8_t              asf_header[HDR_BUF_SIZE];
   int                  asf_header_len;
   int                  len, i, packet_length;
   char                *path, *unescpath;