[pulseaudio-commits] src/modules
Tanu Kaskinen
tanuk at kemper.freedesktop.org
Tue Oct 23 03:30:10 PDT 2012
src/modules/rtp/rtsp_client.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
New commits:
commit 82e44a9f45cfb9e935f354986f91f5e2c85bf633
Author: Tanu Kaskinen <tanu.kaskinen at digia.com>
Date: Thu Mar 29 16:03:59 2012 +0300
rtp: Fix rtp_port reading.
pa_atou() return value was not checked, and the cast of a
16-bit variable pointer to a 32-bit variable pointer could
corrupt cseq.
diff --git a/src/modules/rtp/rtsp_client.c b/src/modules/rtp/rtsp_client.c
index 2c8b2dc..90521fe 100644
--- a/src/modules/rtp/rtsp_client.c
+++ b/src/modules/rtp/rtsp_client.c
@@ -143,9 +143,17 @@ static void headers_read(pa_rtsp_client *c) {
/* Now parse out the server port component of the response. */
while ((token = pa_split(c->transport, delimiters, &token_state))) {
- if ((pc = strstr(token, "="))) {
+ if ((pc = strchr(token, '='))) {
if (0 == strncmp(token, "server_port", 11)) {
- pa_atou(pc+1, (uint32_t*)(&c->rtp_port));
+ uint32_t p;
+
+ if (pa_atou(pc + 1, &p) < 0 || p <= 0 || p > 0xffff) {
+ pa_log("Invalid SETUP response (invalid server_port).");
+ pa_xfree(token);
+ return;
+ }
+
+ c->rtp_port = p;
pa_xfree(token);
break;
}
More information about the pulseaudio-commits
mailing list