On 03/29/2012 03:03 PM, Tanu Kaskinen wrote:
> pa_atou() return value was not checked, and the cast of a
> 16-bit variable pointer to a 32-bit variable pointer could
> corrupt cseq.
Good catch. Ack.
> ---
> src/modules/rtp/rtsp_client.c | 12 ++++++++++--
> 1 files changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/src/modules/rtp/rtsp_client.c b/src/modules/rtp/rtsp_client.c
> index 71692c2..675b5d4 100644
> --- a/src/modules/rtp/rtsp_client.c
> +++ b/src/modules/rtp/rtsp_client.c
> @@ -143,9 +143,17 @@ static void headers_read(pa_rtsp_client *c) {
>
> /* Now parse out the server port component of the response. */
> while ((token = pa_split(c->transport, delimiters,&token_state))) {
> - if ((pc = strstr(token, "="))) {
> + if ((pc = strchr(token, '='))) {
> if (0 == strncmp(token, "server_port", 11)) {
> - pa_atou(pc+1, (uint32_t*)(&c->rtp_port));
> + uint32_t p;
> +
> + if (pa_atou(pc + 1,&p)< 0 || p<= 0 || p>= 0x10000) {
> + pa_log("Invalid SETUP response (invalid server_port).");
> + pa_xfree(token);
> + return;
> + }
> +
> + c->rtp_port = p;
> pa_xfree(token);
> break;
> }
--
David Henningsson, Canonical Ltd.
http://launchpad.net/~diwic
