rtpvorbisdepay: fix unbounded memory usage

All received configurations are parsed and added to a list, this lead
to an unbounded memory usage. As the configuration is resent every
second this quickly lead to a large memory usage.

Add a check to only add the config if it is not already available in
the list. This fix only handle the typical case of a well behaved
stream, a malicious server could still send many useless
configurations to raise the client memory usage.
This commit is contained in:
Alban Bedel 2017-09-27 16:01:35 +02:00 committed by Tim-Philipp Müller
parent 82f2ac783b
commit 4e7ce28623

View file

@ -134,6 +134,22 @@ gst_rtp_vorbis_depay_finalize (GObject * object)
G_OBJECT_CLASS (parent_class)->finalize (object); G_OBJECT_CLASS (parent_class)->finalize (object);
} }
static gboolean
gst_rtp_vorbis_depay_has_ident (GstRtpVorbisDepay * rtpvorbisdepay,
guint32 ident)
{
GList *walk;
for (walk = rtpvorbisdepay->configs; walk; walk = g_list_next (walk)) {
GstRtpVorbisConfig *conf = (GstRtpVorbisConfig *) walk->data;
if (conf->ident == ident)
return TRUE;
}
return FALSE;
}
/* takes ownership of confbuf */ /* takes ownership of confbuf */
static gboolean static gboolean
gst_rtp_vorbis_depay_parse_configuration (GstRtpVorbisDepay * rtpvorbisdepay, gst_rtp_vorbis_depay_parse_configuration (GstRtpVorbisDepay * rtpvorbisdepay,
@ -228,6 +244,13 @@ gst_rtp_vorbis_depay_parse_configuration (GstRtpVorbisDepay * rtpvorbisdepay,
if (size < length && size + 1 != length) if (size < length && size + 1 != length)
goto too_small; goto too_small;
if (gst_rtp_vorbis_depay_has_ident (rtpvorbisdepay, ident)) {
size -= length;
data += length;
offset += length;
continue;
}
/* read header sizes we read 2 sizes, the third size (for which we allocate /* read header sizes we read 2 sizes, the third size (for which we allocate
* space) must be derived from the total packed header length. */ * space) must be derived from the total packed header length. */
h_sizes = g_newa (guint, n_headers + 1); h_sizes = g_newa (guint, n_headers + 1);