From 0e1ceacde98f912de8604ea7ebe321a1790bd4b6 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Wed, 16 Mar 2005 19:06:34 +0000
Subject: buffer overflow in sdp_probe() fix by (Gildas Bazin )gbazin altern
 org)

Originally committed as revision 4049 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavformat/rtsp.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c
index 2b6fa8844a..3261cf3d23 100644
--- a/libavformat/rtsp.c
+++ b/libavformat/rtsp.c
@@ -1174,17 +1174,16 @@ AVInputFormat rtsp_demux = {
 
 static int sdp_probe(AVProbeData *p1)
 {
-    const char *p;
+    const char *p = p1->buf, *p_end = p1->buf + p1->buf_size;
 
     /* we look for a line beginning "c=IN IP4" */
-    p = p1->buf;
-    while (*p != '\0') {
-        if (strstart(p, "c=IN IP4", NULL))
+    while (p < p_end && *p != '\0') {
+        if (p + sizeof("c=IN IP4") - 1 < p_end && strstart(p, "c=IN IP4", NULL))
             return AVPROBE_SCORE_MAX / 2;
-        p = strchr(p, '\n');
-        if (!p)
+
+        while(p < p_end - 1 && *p != '\n') p++;
+        if (++p >= p_end)
             break;
-        p++;
         if (*p == '\r')
             p++;
     }
-- 
cgit v1.2.3