mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2025-04-02 14:20:06 +00:00
Code Issues 1 Projects Releases Wiki Activity

rtpgstdepay: avoid buffer overread.

Browse source 
Check that a caps event string is 0 terminated and the event string is
terminated with a ; to avoid buffer overreads.

Fixes https://bugzilla.gnome.org/show_bug.cgi?id=737591
This commit is contained in:
Wim Taymans 2014-11-20 12:40:28 +01:00
parent 488d0b93cd
commit 9d2902d978
1 changed files with 20 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
gst/rtp/gstrtpgstdepay.c
View file

@ -232,6 +232,9 @@ read_caps (GstRtpGSTDepay * rtpgstdepay, GstBuffer * buf, guint * skip)
if (!read_length (rtpgstdepay, map.data, map.size, &length, &offset))
goto too_small;
if (length == 0 || map.data[offset + length - 1] != '\0')
goto invalid_buffer;
GST_DEBUG_OBJECT (rtpgstdepay, "parsing caps %s", &map.data[offset]);
/* parse and store in cache */
@ -249,6 +252,13 @@ too_small:
gst_buffer_unmap (buf, &map);
return NULL;
}
invalid_buffer:
{
GST_ELEMENT_WARNING (rtpgstdepay, STREAM, DECODE,
("caps string not 0-terminated."), (NULL));
gst_buffer_unmap (buf, &map);
return NULL;
}
}
static GstEvent *
@ -269,6 +279,9 @@ read_event (GstRtpGSTDepay * rtpgstdepay, guint type,
if (!read_length (rtpgstdepay, map.data, map.size, &length, &offset))
goto too_small;
if (length == 0 || map.data[offset + length - 1] != ';')
goto invalid_buffer;
GST_DEBUG_OBJECT (rtpgstdepay, "parsing event %s", &map.data[offset]);
/* parse */
@ -307,6 +320,13 @@ too_small:
gst_buffer_unmap (buf, &map);
return NULL;
}
invalid_buffer:
{
GST_ELEMENT_WARNING (rtpgstdepay, STREAM, DECODE,
("event string not 0-terminated."), (NULL));
gst_buffer_unmap (buf, &map);
return NULL;
}
parse_failed:
{
GST_WARNING_OBJECT (rtpgstdepay, "could not parse event");