pa_atou() return value was not checked, and the cast of a
16-bit variable pointer to a 32-bit variable pointer could
corrupt cseq.
---
src/modules/rtp/rtsp_client.c | 12 ++++++++++--
1 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/modules/rtp/rtsp_client.c b/src/modules/rtp/rtsp_client.c
index 71692c2..675b5d4 100644
--- a/src/modules/rtp/rtsp_client.c
+++ b/src/modules/rtp/rtsp_client.c
@@ -143,9 +143,17 @@ static void headers_read(pa_rtsp_client *c) {
/* Now parse out the server port component of the response. */
while ((token = pa_split(c->transport, delimiters, &token_state))) {
- if ((pc = strstr(token, "="))) {
+ if ((pc = strchr(token, '='))) {
if (0 == strncmp(token, "server_port", 11)) {
- pa_atou(pc+1, (uint32_t*)(&c->rtp_port));
+ uint32_t p;
+
+ if (pa_atou(pc + 1, &p) < 0 || p <= 0 || p >= 0x10000) {
+ pa_log("Invalid SETUP response (invalid server_port).");
+ pa_xfree(token);
+ return;
+ }
+
+ c->rtp_port = p;
pa_xfree(token);
break;
}
--
1.7.8
