rtpgstdepay: avoid buffer overread.

Check that a caps event string is 0 terminated and the event string is
terminated with a ; to avoid buffer overreads.

Fixes https://bugzilla.gnome.org/show_bug.cgi?id=737591

diff --git a/gst/rtp/gstrtpgstdepay.c b/gst/rtp/gstrtpgstdepay.c
index 5803f98..a340880 100644 (file)
--- a/gst/rtp/gstrtpgstdepay.c
+++ b/gst/rtp/gstrtpgstdepay.c
@@ -232,6 +232,9 @@ read_caps (GstRtpGSTDepay * rtpgstdepay, GstBuffer * buf, guint * skip)
   if (!read_length (rtpgstdepay, map.data, map.size, &length, &offset))
     goto too_small;
 
+  if (length == 0 || map.data[offset + length - 1] != '\0')
+    goto invalid_buffer;
+
   GST_DEBUG_OBJECT (rtpgstdepay, "parsing caps %s", &map.data[offset]);
 
   /* parse and store in cache */
@@ -249,6 +252,13 @@ too_small:
     gst_buffer_unmap (buf, &map);
     return NULL;
   }
+invalid_buffer:
+  {
+    GST_ELEMENT_WARNING (rtpgstdepay, STREAM, DECODE,
+        ("caps string not 0-terminated."), (NULL));
+    gst_buffer_unmap (buf, &map);
+    return NULL;
+  }
 }
 
 static GstEvent *
@@ -269,6 +279,9 @@ read_event (GstRtpGSTDepay * rtpgstdepay, guint type,
   if (!read_length (rtpgstdepay, map.data, map.size, &length, &offset))
     goto too_small;
 
+  if (length == 0 || map.data[offset + length - 1] != ';')
+    goto invalid_buffer;
+
   GST_DEBUG_OBJECT (rtpgstdepay, "parsing event %s", &map.data[offset]);
 
   /* parse */
@@ -307,6 +320,13 @@ too_small:
     gst_buffer_unmap (buf, &map);
     return NULL;
   }
+invalid_buffer:
+  {
+    GST_ELEMENT_WARNING (rtpgstdepay, STREAM, DECODE,
+        ("event string not 0-terminated."), (NULL));
+    gst_buffer_unmap (buf, &map);
+    return NULL;
+  }
 parse_failed:
   {
     GST_WARNING_OBJECT (rtpgstdepay, "could not parse event");