Jean-Baptiste Kempf pushed to branch master at VideoLAN / VLC
Commits:
e7161e25 by Marvin Scholz at 2021-06-23T09:15:44+00:00
access: rist: fix potential endless loop
The loop compared processed_bytes (uint16) with len (size_t), so if
len happens to be larger than UINT16_MAX, this condition would be
always true.
The value of len is capped by the "packet-size" option, which defaults
to RIST_MAX_PACKET_SIZE, so for this case to occur it would require the
user changing the option.
Found with lgtm.com
- - - - -
984117e4 by Marvin Scholz at 2021-06-23T09:15:44+00:00
access: rist: change type for name_length
The name length, which is actually the length of the CNAME field
is indicated as a positive integer, there is no way for it to be
negative.
- - - - -
1 changed file:
- modules/access/rist.c
Changes:
=====================================
modules/access/rist.c
=====================================
@@ -481,7 +481,7 @@ static void rtcp_input(stream_t *p_access, struct rist_flow
*flow, uint8_t *buf_
{
stream_sys_t *p_sys = p_access->p_sys;
uint8_t ptype;
- uint16_t processed_bytes = 0;
+ size_t processed_bytes = 0;
uint16_t records;
char new_sender_name[MAX_CNAME];
uint8_t *buf;
@@ -489,11 +489,11 @@ static void rtcp_input(stream_t *p_access, struct
rist_flow *flow, uint8_t *buf_
while (processed_bytes < len) {
buf = buf_in + processed_bytes;
/* safety checks */
- uint16_t bytes_left = len - processed_bytes + 1;
+ size_t bytes_left = len - processed_bytes + 1;
if ( bytes_left < 4 )
{
/* we must have at least 4 bytes */
- msg_Err(p_access, "Rist rtcp packet must have at least 4 bytes, we
have %d",
+ msg_Err(p_access, "Rist rtcp packet must have at least 4 bytes, we
have %zu",
bytes_left);
return;
}
@@ -511,7 +511,7 @@ static void rtcp_input(stream_t *p_access, struct rist_flow
*flow, uint8_t *buf_
{
/* check for a sane number of bytes */
msg_Err(p_access, "Malformed rtcp packet, wrong len %d, expecting
%u bytes in the " \
- "packet, got a buffer of %u bytes.", rtcp_get_length(buf),
bytes, bytes_left);
+ "packet, got a buffer of %zu bytes.", rtcp_get_length(buf),
bytes, bytes_left);
return;
}
@@ -530,13 +530,13 @@ static void rtcp_input(stream_t *p_access, struct
rist_flow *flow, uint8_t *buf_
if (p_sys->b_ismulticast)
return;
/* Check for changes in source IP address or port */
- int8_t name_length = rtcp_sdes_get_name_length(buf);
- if (name_length > bytes_left || name_length <= 0 ||
- (size_t)name_length > sizeof(new_sender_name))
+ uint8_t name_length = rtcp_sdes_get_name_length(buf);
+ if (name_length > bytes_left ||
+ name_length > sizeof(new_sender_name))
{
/* check for a sane number of bytes */
- msg_Err(p_access, "Malformed SDES packet, wrong cname
len %d, got a " \
- "buffer of %u bytes.", name_length, bytes_left);
+ msg_Err(p_access, "Malformed SDES packet, wrong cname
len %"PRIu8", got a " \
+ "buffer of %zu bytes.", name_length, bytes_left);
return;
}
bool ip_port_changed = false;
View it on GitLab:
https://code.videolan.org/videolan/vlc/-/compare/254cc167bcafeebd003d15c9c7787b7d7f8ab2b3...984117e415f74d00aaa874257aec1b664d80afb9
--
View it on GitLab:
https://code.videolan.org/videolan/vlc/-/compare/254cc167bcafeebd003d15c9c7787b7d7f8ab2b3...984117e415f74d00aaa874257aec1b664d80afb9
You're receiving this email because of your account on code.videolan.org.
_______________________________________________
vlc-commits mailing list
vlc-commits@videolan.org
https://mailman.videolan.org/listinfo/vlc-commits
