multimedia/xine-lib/patches/patch-ga


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

$NetBSD: patch-ga,v 1.3 2008/03/19 16:09:35 drochner Exp $

--- src/input/libreal/sdpplin.c.orig	2008-03-19 16:33:16.000000000 +0100
+++ src/input/libreal/sdpplin.c
@@ -143,7 +143,14 @@ static sdpplin_stream_t *sdpplin_parse_s
     handled=0;
     
     if(filter(*data,"a=control:streamid=",&buf)) {
-      desc->stream_id=atoi(buf);
+      /* This way negative values are mapped to unfeasibly high
+       * values, and will be discarded afterward
+       */
+      unsigned long tmp = strtoul(buf, NULL, 10);
+      if ( tmp > UINT16_MAX )
+	lprintf("stream id out of bound: %lu\n", tmp);
+      else
+	desc->stream_id=tmp;
       handled=1;
       *data=nl(*data);
     }
@@ -199,7 +206,7 @@ static sdpplin_stream_t *sdpplin_parse_s
     if(filter(*data,"a=OpaqueData:buffer;",&buf)) {
       decoded = b64_decode(buf, decoded, &(desc->mlti_data_size));
       if ( decoded != NULL ) {
-	desc->mlti_data = malloc(sizeof(char)*desc->mlti_data_size);
+	desc->mlti_data = calloc(desc->mlti_data_size, sizeof(char));
 	memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
 	handled=1;
 	*data=nl(*data);
@@ -252,7 +259,10 @@ sdpplin_t *sdpplin_parse(char *data) {
       }
       stream=sdpplin_parse_stream(&data);
       lprintf("got data for stream id %u\n", stream->stream_id);
-      desc->stream[stream->stream_id]=stream;
+      if ( stream->stream_id >= desc->stream_count )
+	lprintf("stream id %u is greater than stream count %u\n", stream->stream_id, desc->stream_count);
+      else
+	desc->stream[stream->stream_id]=stream;
       continue;
     }
 
@@ -293,8 +303,15 @@ sdpplin_t *sdpplin_parse(char *data) {
     }
     
     if(filter(data,"a=StreamCount:integer;",&buf)) {
-      desc->stream_count=atoi(buf);
-      desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
+      /* This way negative values are mapped to unfeasibly high
+       * values, and will be discarded afterward
+       */
+      unsigned long tmp = strtoul(buf, NULL, 10);
+      if ( tmp > UINT16_MAX )
+	lprintf("stream count out of bound: %lu\n", tmp);
+      else
+	desc->stream_count = tmp;
+      desc->stream = calloc(desc->stream_count, sizeof(sdpplin_stream_t*));
       handled=1;
       data=nl(data);
     }