[MPlayer-cvslog] r37640 - trunk/stream/realrtsp/real.c
reimar
subversion at mplayerhq.hu
Tue Feb 9 22:03:51 CET 2016
Author: reimar
Date: Tue Feb 9 22:03:51 2016
New Revision: 37640
Log:
realrtsp: Add some size range checks.
Should also fix some Coverity warnings.
Modified:
trunk/stream/realrtsp/real.c
Modified: trunk/stream/realrtsp/real.c
==============================================================================
--- trunk/stream/realrtsp/real.c Tue Feb 9 21:52:06 2016 (r37639)
+++ trunk/stream/realrtsp/real.c Tue Feb 9 22:03:51 2016 (r37640)
@@ -134,6 +134,9 @@ static int select_mlti_data(const char *
int numrules, codec, size;
int i;
+ const char *mlti_end = mlti_chunk + mlti_size;
+
+ if (mlti_size < 4) return 0;
/* MLTI chunk should begin with MLTI */
@@ -152,20 +155,25 @@ static int select_mlti_data(const char *
mlti_chunk+=4;
/* next 16 bits are the number of rules */
+ if (mlti_chunk > mlti_end - 2) return 0;
numrules=AV_RB16(mlti_chunk);
if (selection >= numrules) return 0;
/* now <numrules> indices of codecs follows */
/* we skip to selection */
+ if ((selection+1)*2 > mlti_end - mlti_chunk) return 0;
mlti_chunk+=(selection+1)*2;
/* get our index */
+ if (mlti_chunk > mlti_end - 2) return 0;
codec=AV_RB16(mlti_chunk);
/* skip to number of codecs */
+ if ((numrules-selection)*2 > mlti_end - mlti_chunk) return 0;
mlti_chunk+=(numrules-selection)*2;
/* get number of codecs */
+ if (mlti_chunk > mlti_end - 2) return 0;
numrules=AV_RB16(mlti_chunk);
if (codec >= numrules) {
@@ -178,11 +186,15 @@ static int select_mlti_data(const char *
/* now seek to selected codec */
for (i=0; i<codec; i++) {
+ if (mlti_chunk > mlti_end - 4) return 0;
size=AV_RB32(mlti_chunk);
+ if (size + 4 > mlti_end - mlti_chunk) return 0;
mlti_chunk+=size+4;
}
+ if (mlti_chunk > mlti_end - 4) return 0;
size=AV_RB32(mlti_chunk);
+ if (size > mlti_end - mlti_chunk - 4) return 0;
#ifdef LOG
hexdump(mlti_chunk+4, size);
More information about the MPlayer-cvslog
mailing list