--- MPlayer-1.0pre5/libmpdemux/realrtsp/real.c  2004-04-25 02:17:23.000000000 +0200
+++ MPlayer-1.0pre5try2/libmpdemux/realrtsp/real.c      2004-12-15 21:35:34.000000000 +0100
@@ -683,6 +683,8 @@
  return 1;
}

+//! maximum size of the rtsp description, must be < INT_MAX
+#define MAX_DESC_BUF (20 * 1024 * 1024)
rmff_header_t  *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwidth) {

  char *description=NULL;
@@ -733,13 +735,21 @@
  else
    size=atoi(rtsp_search_answers(rtsp_session,"Content-length"));

+  // as size is unsigned this also catches the case (size < 0)
+  if (size > MAX_DESC_BUF) {
+    printf("real: Content-length for description too big (> %uMB)!\n",
+            MAX_DESC_BUF/(1024*1024) );
+    xbuffer_free(buf);
+    return NULL;
+  }
+
  if (!rtsp_search_answers(rtsp_session,"ETag"))
    printf("real: got no ETag!\n");
  else
    session_id=strdup(rtsp_search_answers(rtsp_session,"ETag"));

#ifdef LOG
-  printf("real: Stream description size: %i\n", size);
+  printf("real: Stream description size: %u\n", size);
#endif

  description=malloc(sizeof(char)*(size+1));

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.