avformat/rtsp: Fix out-of-bounds read in SDP parser when control_url is empty
Guard against empty string before reading the last byte in control_url. When parsing relative a=control: paths, if no base control URL was set, the code would access control_url[strlen(control_url)-1] which on an empty string causes a size_t underflow and out-of-bounds read. Now compute the length first and check for len == 0 before array access. *Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst* *Patch validated by Zheng Yu at depthfirst* Fixes: DFVULN-611
This commit is contained in:
depthfirst-dev[bot]
committed by
michaelni
michaelni
parent
664d44a825
commit
1a00ea51cb
+2
-1
@@ -612,7 +612,8 @@ static void sdp_parse_line(AVFormatContext *s, SDPParseState *s1,
|
||||
NULL, NULL, 0, p);
|
||||
if (proto[0] == '\0') {
|
||||
/* relative control URL */
|
||||
if (rtsp_st->control_url[strlen(rtsp_st->control_url)-1]!='/')
|
||||
size_t len = strlen(rtsp_st->control_url);
|
||||
if (len == 0 || rtsp_st->control_url[len - 1] != '/')
|
||||
av_strlcat(rtsp_st->control_url, "/",
|
||||
sizeof(rtsp_st->control_url));
|
||||
av_strlcat(rtsp_st->control_url, p,
|
||||
|
||||
Reference in New Issue
Block a user