[FFmpeg-cvslog] rtmpproto: Validate the embedded flv packet size before copying
Martin Storsjö
git at videolan.org
Fri Oct 4 14:36:30 CEST 2013
ffmpeg | branch: master | Martin Storsjö <martin at martin.st> | Thu Oct 3 13:49:50 2013 +0200| [cd818b3a5709b9b08bd5901cb8863a8b61be265e] | committer: Martin Storsjö
rtmpproto: Validate the embedded flv packet size before copying
This wasn't an issue prior to 58404738, when the whole RTMP packet
was copied at once and the length of the individual embedded flv
packets only were validated by the flv demuxer.
Prior to this patch, this could lead to reads and writes out of bound.
Signed-off-by: Martin Storsjö <martin at martin.st>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cd818b3a5709b9b08bd5901cb8863a8b61be265e
---
libavformat/rtmpproto.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index e7e37a3..3dbfc92 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -2221,6 +2221,8 @@ static int handle_metadata(RTMPContext *rt, RTMPPacket *pkt)
pts = cts;
ts += cts - pts;
pts = cts;
+ if (size + 3 + 4 > pkt->data + pkt->size - next)
+ break;
bytestream_put_byte(&p, type);
bytestream_put_be24(&p, size);
bytestream_put_be24(&p, ts);
More information about the ffmpeg-cvslog
mailing list