rtpvorbisdepay: fix unbounded memory usage

All received configurations are parsed and added to a list, this lead
to an unbounded memory usage. As the configuration is resent every
second this quickly lead to a large memory usage.

Add a check to only add the config if it is not already available in
the list. This fix only handle the typical case of a well behaved
stream, a malicious server could still send many useless
configurations to raise the client memory usage.

diff --git a/gst/rtp/gstrtpvorbisdepay.c b/gst/rtp/gstrtpvorbisdepay.c
index 762750a..d3618b9 100644 (file)
--- a/gst/rtp/gstrtpvorbisdepay.c
+++ b/gst/rtp/gstrtpvorbisdepay.c
@@ -134,6 +134,22 @@ gst_rtp_vorbis_depay_finalize (GObject * object)
   G_OBJECT_CLASS (parent_class)->finalize (object);
 }
 
+static gboolean
+gst_rtp_vorbis_depay_has_ident (GstRtpVorbisDepay * rtpvorbisdepay,
+    guint32 ident)
+{
+  GList *walk;
+
+  for (walk = rtpvorbisdepay->configs; walk; walk = g_list_next (walk)) {
+    GstRtpVorbisConfig *conf = (GstRtpVorbisConfig *) walk->data;
+
+    if (conf->ident == ident)
+      return TRUE;
+  }
+
+  return FALSE;
+}
+
 /* takes ownership of confbuf */
 static gboolean
 gst_rtp_vorbis_depay_parse_configuration (GstRtpVorbisDepay * rtpvorbisdepay,
@@ -228,6 +244,13 @@ gst_rtp_vorbis_depay_parse_configuration (GstRtpVorbisDepay * rtpvorbisdepay,
     if (size < length && size + 1 != length)
       goto too_small;
 
+    if (gst_rtp_vorbis_depay_has_ident (rtpvorbisdepay, ident)) {
+      size -= length;
+      data += length;
+      offset += length;
+      continue;
+    }
+
     /* read header sizes we read 2 sizes, the third size (for which we allocate
      * space) must be derived from the total packed header length. */
     h_sizes = g_newa (guint, n_headers + 1);