realrtsp: don't write outside a static buffer.

diff --git a/modules/access/rtsp/real.c b/modules/access/rtsp/real.c
index 7743491bca4cfdcecdb06652d7a2f2582c9bdf02..c744208b65505eaf9fd5e2f27a34e6c0e6746d2c 100644 (file)
--- a/modules/access/rtsp/real.c
+++ b/modules/access/rtsp/real.c
@@ -442,10 +442,9 @@ rmff_header_t *real_parse_sdp(char *data, char **stream_rules, uint32_t bandwidt
   buf= (char *)malloc(2048);
   if( !buf ) goto error;
 
-  header = (rmff_header_t*)malloc(sizeof(rmff_header_t));
+  header = calloc( 1, sizeof(rmff_header_t) );
   if( !header ) goto error;
 
-  memset(header, 0, sizeof(rmff_header_t));
   header->fileheader=rmff_new_fileheader(4+desc->stream_count);
   header->cont=rmff_new_cont(
       desc->title,
@@ -456,10 +455,9 @@ rmff_header_t *real_parse_sdp(char *data, char **stream_rules, uint32_t bandwidt
   header->data=rmff_new_dataheader(0,0);
   if( !header->data ) goto error;
 
-  header->streams = (rmff_mdpr_t**) malloc(sizeof(rmff_mdpr_t*)*(desc->stream_count+1));
+  header->streams = calloc( desc->stream_count+1, sizeof(rmff_mdpr_t*) );
   if( !header->streams ) goto error;
 
-  memset(header->streams, 0, sizeof(rmff_mdpr_t*)*(desc->stream_count+1));
   lprintf("number of streams: %u\n", desc->stream_count);
 
   for (i=0; i<desc->stream_count; i++) {
@@ -471,7 +469,7 @@ rmff_header_t *real_parse_sdp(char *data, char **stream_rules, uint32_t bandwidt
 
     lprintf("calling asmrp_match with:\n%s\n%u\n", desc->stream[i]->asm_rule_book, bandwidth);
 
-    n=asmrp_match(desc->stream[i]->asm_rule_book, bandwidth, rulematches);
+    n=asmrp_match(desc->stream[i]->asm_rule_book, bandwidth, rulematches, sizeof(rulematches)/sizeof(rulematches[0]));
     for (j=0; j<n; j++) {
       lprintf("asmrp rule match: %u for stream %u\n", rulematches[j], desc->stream[i]->stream_id);
       sprintf(b,"stream=%u;rule=%u,", desc->stream[i]->stream_id, rulematches[j]);

diff --git a/modules/access/rtsp/real.h b/modules/access/rtsp/real.h
index bb2479c5936309d14c53f447fe725e4d3fc96dd2..d4513d192082b6b217f25deab7bd725302c22595 100644 (file)
--- a/modules/access/rtsp/real.h
+++ b/modules/access/rtsp/real.h
@@ -48,6 +48,6 @@ int real_get_rdt_chunk_header(rtsp_client_t *, rmff_pheader_t *);
 int real_get_rdt_chunk(rtsp_client_t *, rmff_pheader_t *, unsigned char **);
 rmff_header_t *real_setup_and_get_header(rtsp_client_t *, int bandwidth);
 
-int asmrp_match(const char *rules, int bandwidth, int *matches) ;
+int asmrp_match(const char *rules, int bandwidth, int *matches, int matchsize) ;
 
 #endif

diff --git a/modules/access/rtsp/real_asmrp.c b/modules/access/rtsp/real_asmrp.c
index c37363feae7a6ee390e7e7f991e176b634bd3658..057e230e7823400e3b022b1621aa8384a4e4671f 100644 (file)
--- a/modules/access/rtsp/real_asmrp.c
+++ b/modules/access/rtsp/real_asmrp.c
@@ -94,7 +94,7 @@ static asmrp_t *asmrp_new (void ) {
 
   p->sym_tab_num = 0;
   p->sym         = ASMRP_SYM_NONE;
-  p->buf         = 0;
+  p->buf         = NULL;
 
   return p;
 }
@@ -595,7 +595,7 @@ static int asmrp_rule (asmrp_t *p) {
   return ret;
 }
 
-static int asmrp_eval (asmrp_t *p, int *matches) {
+static int asmrp_eval (asmrp_t *p, int *matches, int matchsize) {
 
   int rule_num, num_matches;
 
@@ -604,7 +604,7 @@ static int asmrp_eval (asmrp_t *p, int *matches) {
   asmrp_get_sym (p);
 
   rule_num = 0; num_matches = 0;
-  while (p->sym != ASMRP_SYM_EOF) {
+  while (p->sym != ASMRP_SYM_EOF && num_matches < matchsize - 1) {
 
     if (asmrp_rule (p)) {
       lprintf ("rule #%d is true\n", rule_num);
@@ -620,7 +620,7 @@ static int asmrp_eval (asmrp_t *p, int *matches) {
   return num_matches;
 }
 
-int asmrp_match (const char *rules, int bandwidth, int *matches) {
+int asmrp_match (const char *rules, int bandwidth, int *matches, int matchsize) {
 
   asmrp_t *p;
   int      num_matches;
@@ -632,7 +632,7 @@ int asmrp_match (const char *rules, int bandwidth, int *matches) {
   asmrp_set_id (p, "Bandwidth", bandwidth);
   asmrp_set_id (p, "OldPNMPlayer", 0);
 
-  num_matches = asmrp_eval (p, matches);
+  num_matches = asmrp_eval (p, matches, matchsize);
 
   asmrp_dispose (p);