Skip to content
Snippets Groups Projects
Commit 51be4eff authored by Wim Taymans's avatar Wim Taymans Committed by Sebastian Dröge
Browse files

rtpgstdepay: avoid buffer overread.

Check that a caps event string is 0 terminated and the event string is
terminated with a ; to avoid buffer overreads.

Fixes https://bugzilla.gnome.org/show_bug.cgi?id=737591
parent f8726a5d
No related branches found
No related tags found
No related merge requests found
......@@ -232,6 +232,9 @@ read_caps (GstRtpGSTDepay * rtpgstdepay, GstBuffer * buf, guint * skip)
if (!read_length (rtpgstdepay, map.data, map.size, &length, &offset))
goto too_small;
if (length == 0 || map.data[offset + length - 1] != '\0')
goto invalid_buffer;
GST_DEBUG_OBJECT (rtpgstdepay, "parsing caps %s", &map.data[offset]);
/* parse and store in cache */
......@@ -249,6 +252,13 @@ too_small:
gst_buffer_unmap (buf, &map);
return NULL;
}
invalid_buffer:
{
GST_ELEMENT_WARNING (rtpgstdepay, STREAM, DECODE,
("caps string not 0-terminated."), (NULL));
gst_buffer_unmap (buf, &map);
return NULL;
}
}
static GstEvent *
......@@ -269,6 +279,9 @@ read_event (GstRtpGSTDepay * rtpgstdepay, guint type,
if (!read_length (rtpgstdepay, map.data, map.size, &length, &offset))
goto too_small;
if (length == 0 || map.data[offset + length - 1] != ';')
goto invalid_buffer;
GST_DEBUG_OBJECT (rtpgstdepay, "parsing event %s", &map.data[offset]);
/* parse */
......@@ -307,6 +320,13 @@ too_small:
gst_buffer_unmap (buf, &map);
return NULL;
}
invalid_buffer:
{
GST_ELEMENT_WARNING (rtpgstdepay, STREAM, DECODE,
("event string not 0-terminated."), (NULL));
gst_buffer_unmap (buf, &map);
return NULL;
}
parse_failed:
{
GST_WARNING_OBJECT (rtpgstdepay, "could not parse event");
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment