summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWim Taymans <wtaymans@redhat.com>2014-11-20 12:40:28 +0100
committerSebastian Dröge <sebastian@centricular.com>2014-11-24 11:45:50 +0100
commit51be4effcc2adcba2e0e50ef48610c506feef387 (patch)
tree1fb19cde64f7f073e2d524b7878481f1e867e90b
parentf8726a5d5f1bbbc6d0df8280ccf53247e1f9f019 (diff)
rtpgstdepay: avoid buffer overread.
Check that a caps event string is 0 terminated and the event string is terminated with a ; to avoid buffer overreads. Fixes https://bugzilla.gnome.org/show_bug.cgi?id=737591
Diffstat
-rw-r--r--gst/rtp/gstrtpgstdepay.c20
1 files changed, 20 insertions, 0 deletions
diff --git a/gst/rtp/gstrtpgstdepay.c b/gst/rtp/gstrtpgstdepay.c
index 5803f982c..a34088025 100644
--- a/gst/rtp/gstrtpgstdepay.c
+++ b/gst/rtp/gstrtpgstdepay.c
@@ -232,6 +232,9 @@ read_caps (GstRtpGSTDepay * rtpgstdepay, GstBuffer * buf, guint * skip)
if (!read_length (rtpgstdepay, map.data, map.size, &length, &offset))
goto too_small;
+ if (length == 0 || map.data[offset + length - 1] != '\0')
+ goto invalid_buffer;
+
GST_DEBUG_OBJECT (rtpgstdepay, "parsing caps %s", &map.data[offset]);
/* parse and store in cache */
@@ -249,6 +252,13 @@ too_small:
gst_buffer_unmap (buf, &map);
return NULL;
}
+invalid_buffer:
+ {
+ GST_ELEMENT_WARNING (rtpgstdepay, STREAM, DECODE,
+ ("caps string not 0-terminated."), (NULL));
+ gst_buffer_unmap (buf, &map);
+ return NULL;
+ }
}
static GstEvent *
@@ -269,6 +279,9 @@ read_event (GstRtpGSTDepay * rtpgstdepay, guint type,
if (!read_length (rtpgstdepay, map.data, map.size, &length, &offset))
goto too_small;
+ if (length == 0 || map.data[offset + length - 1] != ';')
+ goto invalid_buffer;
+
GST_DEBUG_OBJECT (rtpgstdepay, "parsing event %s", &map.data[offset]);
/* parse */
@@ -307,6 +320,13 @@ too_small:
gst_buffer_unmap (buf, &map);
return NULL;
}
+invalid_buffer:
+ {
+ GST_ELEMENT_WARNING (rtpgstdepay, STREAM, DECODE,
+ ("event string not 0-terminated."), (NULL));
+ gst_buffer_unmap (buf, &map);
+ return NULL;
+ }
parse_failed:
{
GST_WARNING_OBJECT (rtpgstdepay, "could not parse event");
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-24 21:37:33 +0000