[MPlayer-cvslog] CVS: main/libmpdemux/realrtsp real.c,1.10,1.11

[Reimar Döffinger CVS]

CVS change done by Reimar Döffinger CVS

Update of /cvsroot/mplayer/main/libmpdemux/realrtsp
In directory mail:/var2/tmp/cvs-serv10179/libmpdemux/realrtsp

Modified Files:
	real.c 
Log Message:
fix security vulnerability reported by iDEFENSE


Index: real.c
===================================================================
RCS file: /cvsroot/mplayer/main/libmpdemux/realrtsp/real.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- real.c	11 Dec 2004 23:59:36 -0000	1.10
+++ real.c	15 Dec 2004 18:16:24 -0000	1.11
@@ -691,6 +691,8 @@
   return 1;
 }
 
+//! maximum size of the rtsp description, must be < INT_MAX
+#define MAX_DESC_BUF (20 * 1024 * 1024)
 rmff_header_t  *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwidth) {
 
   char *description=NULL;
@@ -741,13 +743,21 @@
   else
     size=atoi(rtsp_search_answers(rtsp_session,"Content-length"));
 
+  // as size is unsigned this also catches the case (size < 0)
+  if (size > MAX_DESC_BUF) {
+    printf("real: Content-length for description too big (> %uMB)!\n",
+            MAX_DESC_BUF/(1024*1024) );
+    xbuffer_free(buf);
+    return NULL;
+  }
+
   if (!rtsp_search_answers(rtsp_session,"ETag"))
     printf("real: got no ETag!\n");
   else
     session_id=strdup(rtsp_search_answers(rtsp_session,"ETag"));
     
 #ifdef LOG
-  printf("real: Stream description size: %i\n", size);
+  printf("real: Stream description size: %u\n", size);
 #endif
 
   description=malloc(sizeof(char)*(size+1));