--- MPlayer-1.0pre5/libmpdemux/asf_mmst_streaming.c 2004-07-02 22:36:50.000000000 +0200
+++ MPlayer-1.0pre5try2/libmpdemux/asf_mmst_streaming.c 2004-12-15 21:32:03.000000000 +0100
@@ -42,6 +42,7 @@
#include "network.h"
#define BUF_SIZE 102400
+#define HDR_BUF_SIZE 8192
typedef struct
{
@@ -216,6 +217,11 @@
// printf ("asf header packet detected, len=%d\n", packet_len);
+ if (packet_len < 0 || packet_len > HDR_BUF_SIZE - header_len) {
+ mp_msg(MSGT_NETWORK, MSGL_FATAL, "Invalid header size, giving up\n");
+ return 0;
+ }
+
if (!get_data (s, &header[header_len], packet_len)) {
printf ("header data read failed\n");
return 0;
@@ -250,6 +256,12 @@
packet_len = get_32 ((unsigned char*)&packet_len, 0) + 4;
// printf ("command packet detected, len=%d\n", packet_len);
+
+ if (packet_len < 0 || packet_len > BUF_SIZE) {
+ mp_msg(MSGT_NETWORK, MSGL_FATAL,
+ "Invalid rtsp packet size, giving up\n");
+ return 0;
+ }
if (!get_data (s, data, packet_len)) {
printf ("command data read failed\n");
@@ -361,6 +373,12 @@
// printf ("asf media packet detected, len=%d\n", packet_len);
+ if (packet_len < 0 || packet_len > BUF_SIZE) {
+ mp_msg(MSGT_NETWORK, MSGL_FATAL,
+ "Invalid rtsp packet size, giving up\n");
+ return 0;
+ }
+
if (!get_data (s, data, packet_len)) {
printf ("media data read failed\n");
return 0;
@@ -380,6 +398,12 @@
packet_len = get_32 ((unsigned char*)&packet_len, 0) + 4;
+ if (packet_len < 0 || packet_len > BUF_SIZE) {
+ mp_msg(MSGT_NETWORK, MSGL_FATAL,
+ "Invalid rtsp packet size, giving up\n");
+ return 0;
+ }
+
if (!get_data (s, data, packet_len)) {
printf ("command data read failed\n");
return 0;
@@ -464,7 +488,7 @@
{
char str[1024];
char data[BUF_SIZE];
- uint8_t asf_header[8192];
+ uint8_t asf_header[HDR_BUF_SIZE];
int asf_header_len;
int len, i, packet_length;
char *path, *unescpath;
