[MPlayer-cvslog] r22203 - trunk/stream/realrtsp/asmrp.c
rtogni
subversion at mplayerhq.hu
Sun Feb 11 18:54:18 CET 2007
Author: rtogni
Date: Sun Feb 11 18:54:18 2007
New Revision: 22203
Modified:
trunk/stream/realrtsp/asmrp.c
Log:
More boundary checks for fixed-length arrays. Some of them may have been
exploitable.
Modified: trunk/stream/realrtsp/asmrp.c
==============================================================================
--- trunk/stream/realrtsp/asmrp.c (original)
+++ trunk/stream/realrtsp/asmrp.c Sun Feb 11 18:54:18 2007
@@ -161,9 +161,11 @@
while ( (p->ch!='"') && (p->ch>=32) ) {
- p->str[l] = p->ch;
+ if(l < ASMRP_MAX_ID - 1)
+ p->str[l++] = p->ch;
+ else
+ mp_msg(MSGT_STREAM, MSGL_ERR, "error: string too long, ignoring char %c.\n", p->ch);
- l++;
asmrp_getch (p);
}
p->str[l]=0;
@@ -183,9 +185,11 @@
while ( ((p->ch>='A') && (p->ch<='z'))
|| ((p->ch>='0') && (p->ch<='9'))) {
- p->str[l] = p->ch;
+ if(l < ASMRP_MAX_ID - 1)
+ p->str[l++] = p->ch;
+ else
+ mp_msg(MSGT_STREAM, MSGL_ERR, "error: identifier too long, ignoring char %c.\n", p->ch);
- l++;
asmrp_getch (p);
}
p->str[l]=0;
@@ -381,6 +385,10 @@
i = asmrp_find_id (p, s);
if (i<0) {
+ if (p->sym_tab_num == ASMRP_MAX_SYMTAB - 1) {
+ mp_msg(MSGT_STREAM, MSGL_ERR, "sym_tab overflow, ignoring identifier %s\n", s);
+ return 0;
+ }
i = p->sym_tab_num;
p->sym_tab_num++;
p->sym_tab[i].id = strdup (s);
More information about the MPlayer-cvslog
mailing list