[FFmpeg-cvslog] rtmpproto: Validate the embedded flv packet size before copying

Martin Storsjö git at videolan.org
Fri Oct 4 14:36:30 CEST 2013


ffmpeg | branch: master | Martin Storsjö <martin at martin.st> | Thu Oct  3 13:49:50 2013 +0200| [cd818b3a5709b9b08bd5901cb8863a8b61be265e] | committer: Martin Storsjö

rtmpproto: Validate the embedded flv packet size before copying

This wasn't an issue prior to 58404738, when the whole RTMP packet
was copied at once and the length of the individual embedded flv
packets only were validated by the flv demuxer.

Prior to this patch, this could lead to reads and writes out of bound.

Signed-off-by: Martin Storsjö <martin at martin.st>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cd818b3a5709b9b08bd5901cb8863a8b61be265e
---

 libavformat/rtmpproto.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index e7e37a3..3dbfc92 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -2221,6 +2221,8 @@ static int handle_metadata(RTMPContext *rt, RTMPPacket *pkt)
             pts = cts;
         ts += cts - pts;
         pts = cts;
+        if (size + 3 + 4 > pkt->data + pkt->size - next)
+            break;
         bytestream_put_byte(&p, type);
         bytestream_put_be24(&p, size);
         bytestream_put_be24(&p, ts);



More information about the ffmpeg-cvslog mailing list