Bug 750096 – sdp: prevent the sdp message parser from reading past the end of the buffer

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 750096 - sdp: prevent the sdp message parser from reading past the end of the buffer


Summary:	sdp: prevent the sdp message parser from reading past the end of the buffer


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-base
Version:	git master
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	1.5.1
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2015-05-29 11:20 UTC by George Kiagiadakis
Modified:	2015-05-29 13:42 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
patch (1.88 KB, patch) 2015-05-29 11:20 UTC, George Kiagiadakis	committed	Details \| Review

Description George Kiagiadakis 2015-05-29 11:20:56 UTC

Created attachment 304237 [details] [review]
patch

gst_sdp_message_parse_buffer() currently has a size argument but it doesn't use it, making it possible for a malformed SDP message to cause a crash or even maliciously gather data located out of the allocated buffer for the SDP message.

Comment 1 George Kiagiadakis 2015-05-29 13:08:47 UTC

commit 6ab46d8f0a409cebfa6ca07f89c351501cec9673
Author: George Kiagiadakis <george.kiagiadakis@collabora.com>
Date:   Fri May 29 13:15:59 2015 +0200

    sdp: prevent the sdp message parser from reading past the end of the buffer

    Otherwise, a malformed SDP message could crash the application,
    or even maliciously gather data from the memory located after
    this buffer...

    https://bugzilla.gnome.org/show_bug.cgi?id=750096