diff options
author | Pascal Buhler <pabuhler@cisco.com> | 2011-10-12 11:28:10 +0200 |
---|---|---|
committer | Tim-Philipp Müller <tim.muller@collabora.co.uk> | 2012-01-05 11:12:25 +0000 |
commit | 0febae7443b165ceaa69641e95d7069f26719e59 (patch) | |
tree | c9fb283b8bf1bea0156249fa45eabe1b7e97480e | |
parent | cfdb48ba8f46128baeb8ce249bcf9013d5fe0b3e (diff) |
rtcpbuffer: prevent overflow of 16bit header length.
RTCP header can be (2^16 + 1) * 4 bytes long, so when validating a bogus
packet it was possible to get a 16bit overflow resulting in a length of 0.
This would put the gst_rtcp_buffer_validate_data function in a endless loop.
https://bugzilla.gnome.org/show_bug.cgi?id=667313
-rw-r--r-- | gst-libs/gst/rtp/gstrtcpbuffer.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/gst-libs/gst/rtp/gstrtcpbuffer.c b/gst-libs/gst/rtp/gstrtcpbuffer.c index fbd928c92..539f76387 100644 --- a/gst-libs/gst/rtp/gstrtcpbuffer.c +++ b/gst-libs/gst/rtp/gstrtcpbuffer.c @@ -111,7 +111,7 @@ gboolean gst_rtcp_buffer_validate_data (guint8 * data, guint len) { guint16 header_mask; - guint16 header_len; + guint header_len; guint8 version; guint data_len; gboolean padding; |