RTSP: avoid integer overflow on funny RTSP response#1969
Conversation
There was a problem hiding this comment.
Is this still going to match? If all fields match, isn't sscanf going to return 4 instead?
There was a problem hiding this comment.
sscanf() is a bit tricky to use for this matching. It doesn't really care about the spaces in the match string so an input like 1.1234567 200 (ie an illegal string) will match %1d.%d %3d and store 1, 1 and 234 and return 3. I don't think we want that.
So with %1d.%d %3d %d I want the above input to store 1,1,234, 567 and return 4, which isn't and shouldn't be a match.
While explaining this I think the case where the input says 1.1 200 200 reasons to be fine is also going to not match while it is a fine input. The second "200" just happens to be part of the string...
I'll improve the logic.
There was a problem hiding this comment.
Your sscanf has wall coming from %d. Is "OK" going to be matched by %d?
... like a very large non-existing RTSP version number. Added test 577 to verify. Detected by OSS-fuzz.
bagder
force-pushed
the
bagder/rtsp-integer-overflow
branch
from
b73b4d3 to
6df6367
Compare
2 participants
... like a very large non-existing RTSP version number.
Added test 577 to verify.
Detected by OSS-fuzz.