[FFmpeg-cvslog] rtmpproto: Support alternative slist parameter in rtmp URLs

Thu May 8 19:39:42 CEST 2014

On Wed, May 07, 2014 at 08:56:39PM +0200, Reimar Döffinger wrote:
> 
> 
> On 07.05.2014, at 00:48, git at videolan.org (Uwe L. Korn) wrote:
> 
> > ffmpeg | branch: master | Uwe L. Korn <uwelk at xhochy.com> | Mon May  5 21:47:05 2014 +0100| [7ce3bd9614717e545af8fb8455032c807e389b78] | committer: Martin Storsjö
> > 
> > rtmpproto: Support alternative slist parameter in rtmp URLs
> > 
> > Support the URL scheme where the playpath is in an RTMP URL is
> > passed as the slist argument and the app is given infront of the
> > query part of the URL:
> > 
> > rtmp://host[:port]/[app]?slist=[playpath]
> > 
> > (other arguments in the query part are stripped as they are not used)
> > 
> > Signed-off-by: Martin Storsjö <martin at martin.st>
> > 
> >> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7ce3bd9614717e545af8fb8455032c807e389b78
> > ---
> > 
> > libavformat/rtmpproto.c |   16 ++++++++++++++--
> > 1 file changed, 14 insertions(+), 2 deletions(-)
> > 
> > diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
> > index 8d8aabc..2962737 100644
> > --- a/libavformat/rtmpproto.c
> > +++ b/libavformat/rtmpproto.c
> > @@ -2382,7 +2382,7 @@ static int rtmp_open(URLContext *s, const char *uri, int flags)
> > {
> >     RTMPContext *rt = s->priv_data;
> >     char proto[8], hostname[256], path[1024], auth[100], *fname;
> > -    char *old_app;
> > +    char *old_app, *qmark, fname_buffer[1024];
> >     uint8_t buf[2048];
> >     int port;
> >     AVDictionary *opts = NULL;
> > @@ -2480,7 +2480,19 @@ reconnect:
> >     }
> > 
> >     //extract "app" part from path
> > -    if (!strncmp(path, "/ondemand/", 10)) {
> > +    qmark = strchr(path, '?');
> > +    if (qmark && strstr(qmark, "slist=")) {
> > +        char* amp;
> > +        // After slist we have the playpath, before the params, the app
> > +        av_strlcpy(rt->app, path + 1, qmark - path);
> > +        fname = strstr(path, "slist=") + 6;
> > +        // Strip any further query parameters from fname
> > +        amp = strchr(fname, '&');
> > +        if (amp) {
> > +            av_strlcpy(fname_buffer, fname, amp - fname + 1);
> 
> I would feel a lot more comfortable if those two strlcpy used FFMIN(..., sizeof(destination buffer)) instead.
> At least not obvious how they are limited correctly, and I doubt there is not a major risk of future changes opening a trivially (direct stack buffer overflow) exploitable hole here.

changed

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The worst form of inequality is to try to make unequal things equal.
-- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-cvslog/attachments/20140508/e4eea9cb/attachment.asc>