From: Tobias Ronge <tobiasr@axis.com>
Date: Thu, 14 Mar 2019 09:12:27 +0000 (+0100)
Subject: gstrtspconnection: Security loophole making heap overflow
X-Git-Tag: 1.19.3~511^2~1180
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f672277509705c4034bc92a141eefee4524d15aa;p=platform%2Fupstream%2Fgstreamer.git

gstrtspconnection: Security loophole making heap overflow

The former code allowed an attacker to create a heap overflow by
sending a longer than allowed session id in a response and including a
semicolon to change the maximum length. With this change, the parser
will never go beyond 512 bytes.
---

diff --git a/gst-libs/gst/rtsp/gstrtspconnection.c b/gst-libs/gst/rtsp/gstrtspconnection.c
index a6755be..c042906 100644
--- a/gst-libs/gst/rtsp/gstrtspconnection.c
+++ b/gst-libs/gst/rtsp/gstrtspconnection.c
@@ -2461,7 +2461,7 @@ build_next (GstRTSPBuilder * builder, GstRTSPMessage * message,
           maxlen = sizeof (conn->session_id) - 1;
           /* the sessionid can have attributes marked with ;
            * Make sure we strip them */
-          for (i = 0; session_id[i] != '\0'; i++) {
+          for (i = 0; i < maxlen && session_id[i] != '\0'; i++) {
             if (session_id[i] == ';') {
               maxlen = i;
               /* parse timeout */