From 9d2902d978905acf3ecc88dd331b20072dc9eab0 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Thu, 20 Nov 2014 12:40:28 +0100 Subject: [PATCH] rtpgstdepay: avoid buffer overread. Check that a caps event string is 0 terminated and the event string is terminated with a ; to avoid buffer overreads. Fixes https://bugzilla.gnome.org/show_bug.cgi?id=737591 --- gst/rtp/gstrtpgstdepay.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/gst/rtp/gstrtpgstdepay.c b/gst/rtp/gstrtpgstdepay.c index 5803f98..a340880 100644 --- a/gst/rtp/gstrtpgstdepay.c +++ b/gst/rtp/gstrtpgstdepay.c @@ -232,6 +232,9 @@ read_caps (GstRtpGSTDepay * rtpgstdepay, GstBuffer * buf, guint * skip) if (!read_length (rtpgstdepay, map.data, map.size, &length, &offset)) goto too_small; + if (length == 0 || map.data[offset + length - 1] != '\0') + goto invalid_buffer; + GST_DEBUG_OBJECT (rtpgstdepay, "parsing caps %s", &map.data[offset]); /* parse and store in cache */ @@ -249,6 +252,13 @@ too_small: gst_buffer_unmap (buf, &map); return NULL; } +invalid_buffer: + { + GST_ELEMENT_WARNING (rtpgstdepay, STREAM, DECODE, + ("caps string not 0-terminated."), (NULL)); + gst_buffer_unmap (buf, &map); + return NULL; + } } static GstEvent * @@ -269,6 +279,9 @@ read_event (GstRtpGSTDepay * rtpgstdepay, guint type, if (!read_length (rtpgstdepay, map.data, map.size, &length, &offset)) goto too_small; + if (length == 0 || map.data[offset + length - 1] != ';') + goto invalid_buffer; + GST_DEBUG_OBJECT (rtpgstdepay, "parsing event %s", &map.data[offset]); /* parse */ @@ -307,6 +320,13 @@ too_small: gst_buffer_unmap (buf, &map); return NULL; } +invalid_buffer: + { + GST_ELEMENT_WARNING (rtpgstdepay, STREAM, DECODE, + ("event string not 0-terminated."), (NULL)); + gst_buffer_unmap (buf, &map); + return NULL; + } parse_failed: { GST_WARNING_OBJECT (rtpgstdepay, "could not parse event"); -- 2.7.4