media-server
media-server copied to clipboard
ireader
sdp解析异常r行报文存在死循环
复现如下:
//sdp_test.c
#include "sdp.h"
#include <unistd.h>
int main() {
unsigned char buf[4096];
int len = read(0,buf,4096);
sdp_t* sdp = sdp_parse(buf, len);
if (sdp != 0)
sdp_destroy(sdp);
return 0;
}
payload:
gcc -static -I./src/media-server/librtsp/include/ ./sdp_test.c ./librtsp.a -o sdp_test
echo -ne "t=0 0\x0ar=\x00\x0a" | ./sdp_test
麻烦修改sdp.cp文件759行,while(sdp->raw[sdp->offset] && strchr(" \t", sdp->raw[sdp->offset]))
diff如下:
diff --git "a/librtsp/source/sdp.c" "b/librtsp/source/sdp.c"
index fe7cd97..4b12865 100644
--- "a/librtsp/source/sdp.c"
+++ "b/librtsp/source/sdp.c"
@@ -756,7 +756,7 @@ static int sdp_parse_repeat(struct sdp_t* sdp)
r->duration = sdp->raw + sdp->offset;
n[1] = sdp_token_word(sdp, " \t\r\n");
- while(strchr(" \t", sdp->raw[sdp->offset]))
+ while(sdp->raw[sdp->offset] && strchr(" \t", sdp->raw[sdp->offset]))
{
if(n[2] > 0 && offset)
{
timezone解析的时候貌似还有个堆溢出的问题,sdp_destory的时候看到会free一个很大的块。 payload:
echo -ne "t=\x0az=0 0 0 0" | ./sdp_test
确实是有问题, 变量名搞错了, t->r.count -> t->z.count
diff --git "a/librtsp/source/sdp.c" "b/librtsp/source/sdp.c"
index fe7cd97..3d13c1b 100644
--- "a/librtsp/source/sdp.c"
+++ "b/librtsp/source/sdp.c"
@@ -756,7 +756,7 @@ static int sdp_parse_repeat(struct sdp_t* sdp)
r->duration = sdp->raw + sdp->offset;
n[1] = sdp_token_word(sdp, " \t\r\n");
- while(strchr(" \t", sdp->raw[sdp->offset]))
+ while(sdp->raw[sdp->offset] && strchr(" \t", sdp->raw[sdp->offset]))
{
if(n[2] > 0 && offset)
{
@@ -829,11 +829,11 @@ static int sdp_parse_timezone(struct sdp_t* sdp)
t->z.capacity += 8;
}
- z = &t->z.ptr[t->r.count - N_TIMEZONE];
+ z = &t->z.ptr[t->z.count - N_TIMEZONE];
}
else
{
- z = &t->z.timezones[t->r.count];
+ z = &t->z.timezones[t->z.count];
}
z->time = time;