[Live-devel] Fix for a possible buffer overflow in SDESItem
Ross Finlayson
finlayson at live555.com
Thu Mar 11 18:28:14 PST 2010
Thanks for bringing this to our attention. There are actually two bugs here:
Bug 1:
> if (length > 511) length = 511;
Each "511" should be "255" (duh!)
Bug 2:
> // Pad the trailing bytes to a 4-byte boundary:
> while ((length)%4 > 0) fData[2 + length++] = '\0';
This code shouldn't be there at all, because there's not supposed to
be any zero bytes between SDES items (RFC 355, section 6.5). (There
*are* zero bytes (padded to a 4-byte boundary) at the end of the SDES
item list, but our code already handles this in
"RTCPInstance::addSDES()".)
This will be fixed in the next release of the code.
--
Ross Finlayson
Live Networks, Inc.
http://www.live555.com/
More information about the live-devel
mailing list