mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2024-10-05 02:02:26 +00:00
Code Issues 1 Projects Releases Wiki Activity

sdp: prevent the sdp message parser from reading past the end of the buffer

Browse source 
Otherwise, a malformed SDP message could crash the application,
or even maliciously gather data from the memory located after
this buffer...

https://bugzilla.gnome.org/show_bug.cgi?id=750096
This commit is contained in:
George Kiagiadakis 2015-05-29 13:15:59 +02:00
parent a998d380bd
commit 6ab46d8f0a
1 changed files with 23 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
gst-libs/gst/sdp/gstsdpmessage.c
View file

@ -2962,21 +2962,33 @@ gst_sdp_message_parse_buffer (const guint8 * data, guint size,
c.msg = msg;
c.media = NULL;
#define SIZE_CHECK_GUARD \
G_STMT_START { \
if (p - (gchar *) data >= size) \
goto out; \
} G_STMT_END
p = (gchar *) data;
while (TRUE) {
while (g_ascii_isspace (*p))
while (p - (gchar *) data < size && g_ascii_isspace (*p))
p++;
SIZE_CHECK_GUARD;
type = *p++;
if (type == '\0')
break;
SIZE_CHECK_GUARD;
if (*p != '=')
goto line_done;
p++;
SIZE_CHECK_GUARD;
s = p;
while (*p != '\n' && *p != '\r' && *p != '\0')
while (p - (gchar *) data < size && *p != '\n' && *p != '\r' && *p != '\0')
p++;
len = p - s;
@ -2989,13 +3001,21 @@ gst_sdp_message_parse_buffer (const guint8 * data, guint size,
gst_sdp_parse_line (&c, type, buffer);
SIZE_CHECK_GUARD;
line_done:
while (*p != '\n' && *p != '\0')
while (p - (gchar *) data < size && *p != '\n' && *p != '\0')
p++;
SIZE_CHECK_GUARD;
if (*p == '\n')
p++;
}
#undef SIZE_CHECK_GUARD
out:
if (buffer)
g_free (buffer);