From 75b371e8fac744315c1666af2502726440805452 Mon Sep 17 00:00:00 2001
From: jeanlf <jeanlf@gpac.io>
Date: Mon, 16 May 2022 12:29:53 +0200
Subject: [PATCH] fixed #2182

---
 src/ietf/rtsp_command.c  |  6 ++++++
 src/ietf/rtsp_common.c   | 17 +++++++----------
 src/ietf/rtsp_response.c |  6 ++++++
 3 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/src/ietf/rtsp_command.c b/src/ietf/rtsp_command.c
index e187580554..37815fc869 100644
--- a/src/ietf/rtsp_command.c
+++ b/src/ietf/rtsp_command.c
@@ -540,6 +540,12 @@ GF_Err gf_rtsp_get_command(GF_RTSPSession *sess, GF_RTSPCommand *com)
 
 	//copy the body if any
 	if (!e && com->Content_Length) {
+		u32 rsp_size = sess->CurrentSize - sess->CurrentPos;
+		if (rsp_size < com->Content_Length) {
+			GF_LOG(GF_LOG_ERROR, GF_LOG_RTP, ("[RTSP] Invalid content length %u - Response was: \n%s\n", com->Content_Length, sess->tcp_buffer+sess->CurrentPos));
+			e = GF_NON_COMPLIANT_BITSTREAM;
+			goto exit;
+		}
 		com->body = (char *) gf_malloc(sizeof(char) * (com->Content_Length));
 		memcpy(com->body, sess->tcp_buffer+sess->CurrentPos + BodyStart, com->Content_Length);
 	}
diff --git a/src/ietf/rtsp_common.c b/src/ietf/rtsp_common.c
index 5fd1793ca5..ea311a2aba 100644
--- a/src/ietf/rtsp_common.c
+++ b/src/ietf/rtsp_common.c
@@ -58,7 +58,6 @@ GF_Err gf_rtsp_read_reply(GF_RTSPSession *sess)
 
 void gf_rtsp_get_body_info(GF_RTSPSession *sess, u32 *body_start, u32 *body_size)
 {
-	u32 i;
 	s32 start;
 	char *buffer;
 	char *cl_str;
@@ -73,23 +72,21 @@ void gf_rtsp_get_body_info(GF_RTSPSession *sess, u32 *body_start, u32 *body_size
 
 	//if found add the 2 "\r\n" and parse it
 	*body_start = start + 4;
+	*body_size = 0;
 
 	//get the content length
 	cl_str = strstr(buffer, "Content-Length: ");
 	if (!cl_str) cl_str = strstr(buffer, "Content-length: ");
 
 	if (cl_str) {
-		char val[30];
+		char *sep;
 		cl_str += 16;
-		i = 0;
-		while (cl_str[i] != '\r') {
-			val[i] = cl_str[i];
-			i += 1;
+		sep = strchr(cl_str, '\r');
+		if (sep) {
+			sep[0] = 0;
+			*body_size = atoi(cl_str);
+			sep[0] = '\r';
 		}
-		val[i] = 0;
-		*body_size = atoi(val);
-	} else {
-		*body_size = 0;
 	}
 }
 
diff --git a/src/ietf/rtsp_response.c b/src/ietf/rtsp_response.c
index 1c1dcbd3f8..dda42a575b 100644
--- a/src/ietf/rtsp_response.c
+++ b/src/ietf/rtsp_response.c
@@ -398,6 +398,12 @@ GF_Err gf_rtsp_get_response(GF_RTSPSession *sess, GF_RTSPResponse *rsp)
 
 	//copy the body if any
 	if (!e && rsp->Content_Length) {
+		u32 rsp_size = sess->CurrentSize - sess->CurrentPos;
+		if (rsp_size < rsp->Content_Length) {
+			GF_LOG(GF_LOG_ERROR, GF_LOG_RTP, ("[RTSP] Invalid content length %u - Response was: \n%s\n", rsp->Content_Length, sess->tcp_buffer+sess->CurrentPos));
+			e = GF_NON_COMPLIANT_BITSTREAM;
+			goto exit;
+		}
 		rsp->body = (char *)gf_malloc(sizeof(char) * (rsp->Content_Length));
 		memcpy(rsp->body, sess->tcp_buffer+sess->CurrentPos + BodyStart, rsp->Content_Length);
 	}