Sophie

Sophie

distrib > * > 2008.0 > x86_64 > by-pkgid > ecbfffd53099d296aa3be64531b34419 > files > 17

mplayer-1.0-1.rc1.20.6mdv2008.0.src.rpm

--- MPlayer-1.0rc1/stream/librtsp/rtsp_session.c
+++ MPlayer-1.0rc1/stream/librtsp/rtsp_session.c
@@ -141,6 +141,10 @@ rtsp_session_t *rtsp_session_start(int fd, char **mrl, char *path, char *host, i
     rtsp_session->real_session = init_real_rtsp_session ();
     rtsp_session->real_session->header_len =
       rmff_dump_header (h, (char *) rtsp_session->real_session->header, 1024);
+    if (rtsp_session->real_session->header_len < 0) {
+      printf("rtsp_session: rtsp server returned overly-large headers, session can not be established.\n");
+      goto session_abort;
+    }
 
     rtsp_session->real_session->recv =
       xbuffer_copyin (rtsp_session->real_session->recv, 0,
@@ -186,6 +191,7 @@ rtsp_session_t *rtsp_session_start(int fd, char **mrl, char *path, char *host, i
     {
       mp_msg (MSGT_OPEN, MSGL_ERR, "rtsp_session: unsupported RTSP server. ");
       mp_msg (MSGT_OPEN, MSGL_ERR, "Server type is '%s'.\n", server);
+      session_abort:
       rtsp_close (rtsp_session->s);
       free (server);
       free (mrl_line);
--- MPlayer-1.0rc1/stream/realrtsp/rmff.c
+++ MPlayer-1.0rc1/stream/realrtsp/rmff.c
@@ -74,9 +74,13 @@ static void hexdump (const char *buf, int length) {
  * writes header data to a buffer
  */
 
-static void rmff_dump_fileheader(rmff_fileheader_t *fileheader, char *buffer) {
+static int rmff_dump_fileheader(rmff_fileheader_t *fileheader, uint8_t *buffer, int bufsize) {
+
+  if (!fileheader) return 0;
+
+  if (bufsize < RMFF_FILEHEADER_SIZE)
+    return -1;
 
-  if (!fileheader) return;
   fileheader->object_id=BE_32(&fileheader->object_id);
   fileheader->size=BE_32(&fileheader->size);
   fileheader->object_version=BE_16(&fileheader->object_version);
@@ -92,11 +96,17 @@ static void rmff_dump_fileheader(rmff_fileheader_t *fileheader, char *buffer) {
   fileheader->file_version=BE_32(&fileheader->file_version);
   fileheader->num_headers=BE_32(&fileheader->num_headers);
   fileheader->object_id=BE_32(&fileheader->object_id);
+
+  return RMFF_FILEHEADER_SIZE;
 }
 
-static void rmff_dump_prop(rmff_prop_t *prop, char *buffer) {
+static int rmff_dump_prop(rmff_prop_t *prop, uint8_t *buffer, int bufsize) {
+
+  if (!prop) return 0;
+
+  if (bufsize < RMFF_PROPHEADER_SIZE)
+    return -1;
 
-  if (!prop) return;
   prop->object_id=BE_32(&prop->object_id);
   prop->size=BE_32(&prop->size);
   prop->object_version=BE_16(&prop->object_version);
@@ -132,13 +142,19 @@ static void rmff_dump_prop(rmff_prop_t *prop, char *buffer) {
   prop->num_streams=BE_16(&prop->num_streams);
   prop->flags=BE_16(&prop->flags);
   prop->object_id=BE_32(&prop->object_id);
+
+  return RMFF_PROPHEADER_SIZE;
 }
 
-static void rmff_dump_mdpr(rmff_mdpr_t *mdpr, char *buffer) {
+static int rmff_dump_mdpr(rmff_mdpr_t *mdpr, uint8_t *buffer, int bufsize) {
 
   int s1, s2, s3;
 
-  if (!mdpr) return;
+  if (!mdpr) return 0;
+
+  if (bufsize < RMFF_MDPRHEADER_SIZE + mdpr->type_specific_len + mdpr->stream_name_size + mdpr->mime_type_size)
+    return -1;
+
   mdpr->object_id=BE_32(&mdpr->object_id);
   mdpr->size=BE_32(&mdpr->size);
   mdpr->object_version=BE_16(&mdpr->object_version);
@@ -180,13 +196,19 @@ static void rmff_dump_mdpr(rmff_mdpr_t *mdpr, char *buffer) {
   mdpr->duration=BE_32(&mdpr->duration);
   mdpr->object_id=BE_32(&mdpr->object_id);
 
+  return RMFF_MDPRHEADER_SIZE + s1 + s2 + s3;
 }
 
-static void rmff_dump_cont(rmff_cont_t *cont, char *buffer) {
+static int rmff_dump_cont(rmff_cont_t *cont, uint8_t *buffer, int bufsize) {
 
   int p;
 
-  if (!cont) return;
+  if (!cont) return 0;
+
+  if (bufsize < RMFF_CONTHEADER_SIZE + cont->title_len + cont->author_len +
+      cont->copyright_len + cont->comment_len)
+    return -1;
+
   cont->object_id=BE_32(&cont->object_id);
   cont->size=BE_32(&cont->size);
   cont->object_version=BE_16(&cont->object_version);
@@ -220,11 +242,18 @@ static void rmff_dump_cont(rmff_cont_t *cont, char *buffer) {
   cont->size=BE_32(&cont->size);
   cont->object_version=BE_16(&cont->object_version);
   cont->object_id=BE_32(&cont->object_id);
+
+  return RMFF_CONTHEADER_SIZE + cont->title_len + cont->author_len +
+         cont->copyright_len + cont->comment_len;
 }
 
-static void rmff_dump_dataheader(rmff_data_t *data, char *buffer) {
+static int rmff_dump_dataheader(rmff_data_t *data, uint8_t *buffer, int bufsize) {
+
+  if (!data) return 0;
+
+  if (bufsize < RMFF_DATAHEADER_SIZE)
+    return -1;
 
-  if (!data) return;
   data->object_id=BE_32(&data->object_id);
   data->size=BE_32(&data->size);
   data->object_version=BE_16(&data->object_version);
@@ -240,31 +269,43 @@ static void rmff_dump_dataheader(rmff_data_t *data, char *buffer) {
   data->size=BE_32(&data->size);
   data->object_version=BE_16(&data->object_version);
   data->object_id=BE_32(&data->object_id);
+
+  return RMFF_DATAHEADER_SIZE;
 }
 
-int rmff_dump_header(rmff_header_t *h, char *buffer, int max) {
+int rmff_dump_header(rmff_header_t *h, void *buf_gen, int max) {
+  uint8_t *buffer = buf_gen;
 
-  int written=0;
+  int written=0, size;
   rmff_mdpr_t **stream=h->streams;
 
-  rmff_dump_fileheader(h->fileheader, &buffer[written]);
-  written+=h->fileheader->size;
-  rmff_dump_prop(h->prop, &buffer[written]);
-  written+=h->prop->size;
-  rmff_dump_cont(h->cont, &buffer[written]);
-  written+=h->cont->size;
+  if ((size=rmff_dump_fileheader(h->fileheader, &buffer[written], max)) < 0)
+    return -1;
+  written+=size;
+  max -= size;
+  if ((size=rmff_dump_prop(h->prop, &buffer[written], max)) < 0)
+    return -1;
+  written+=size;
+  max -= size;
+  if ((size=rmff_dump_cont(h->cont, &buffer[written], max)) < 0)
+    return -1;
+  written+=size;
+  max -= size;
   if (stream)
   {
     while(*stream)
     {
-      rmff_dump_mdpr(*stream, &buffer[written]);
-      written+=(*stream)->size;
+      if ((size=rmff_dump_mdpr(*stream, &buffer[written], max)) < 0)
+        return -1;
+      written+=size;
+      max -= size;
       stream++;
     }
   }
     
-  rmff_dump_dataheader(h->data, &buffer[written]);
-  written+=18;
+  if ((size=rmff_dump_dataheader(h->data, &buffer[written], max)) < 0)
+    return -1;
+  written+=size;
 
   return written;
 }
--- MPlayer-1.0rc1/stream/realrtsp/rmff.h
+++ MPlayer-1.0rc1/stream/realrtsp/rmff.h
@@ -49,6 +49,12 @@
 
 #define RMFF_HEADER_SIZE 0x12
 
+#define RMFF_FILEHEADER_SIZE 18
+#define RMFF_PROPHEADER_SIZE 50
+#define RMFF_MDPRHEADER_SIZE 46
+#define RMFF_CONTHEADER_SIZE 18
+#define RMFF_DATAHEADER_SIZE 18
+
 #define FOURCC_TAG( ch0, ch1, ch2, ch3 ) \
         (((long)(unsigned char)(ch3)       ) | \
         ( (long)(unsigned char)(ch2) << 8  ) | \
@@ -255,7 +261,7 @@ int rmff_get_header_size(rmff_header_t *h);
 /*
  * dumps the header <h> to <buffer>. <max> is the size of <buffer>
  */
-int rmff_dump_header(rmff_header_t *h, char *buffer, int max);
+int rmff_dump_header(rmff_header_t *h, void *buf_gen, int max);
 
 /*
  * dumps a packet header

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional