Commit 4e692374 authored by Xi Wang's avatar Xi Wang Committed by Michael Niedermayer

rtmp: fix buffer overflows in ff_amf_tag_contents()

A negative `size' will bypass FFMIN().  In the subsequent memcpy() call,
`size' will be considered as a large positive value, leading to a buffer
overflow.

Change the type of `size' to unsigned int to avoid buffer overflow, and
simplify overflow checks accordingly.
Signed-off-by: 's avatarXi Wang <xi.wang@gmail.com>
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 902cfe2f
...@@ -440,7 +440,7 @@ static const char* rtmp_packet_type(int type) ...@@ -440,7 +440,7 @@ static const char* rtmp_packet_type(int type)
static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *data_end) static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *data_end)
{ {
int size; unsigned int size;
char buf[1024]; char buf[1024];
if (data >= data_end) if (data >= data_end)
...@@ -459,7 +459,7 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d ...@@ -459,7 +459,7 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d
} else { } else {
size = bytestream_get_be32(&data); size = bytestream_get_be32(&data);
} }
size = FFMIN(size, 1023); size = FFMIN(size, sizeof(buf) - 1);
memcpy(buf, data, size); memcpy(buf, data, size);
buf[size] = 0; buf[size] = 0;
av_log(ctx, AV_LOG_DEBUG, " string '%s'\n", buf); av_log(ctx, AV_LOG_DEBUG, " string '%s'\n", buf);
...@@ -472,16 +472,15 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d ...@@ -472,16 +472,15 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d
case AMF_DATA_TYPE_OBJECT: case AMF_DATA_TYPE_OBJECT:
av_log(ctx, AV_LOG_DEBUG, " {\n"); av_log(ctx, AV_LOG_DEBUG, " {\n");
for (;;) { for (;;) {
int size = bytestream_get_be16(&data);
int t; int t;
memcpy(buf, data, size); size = bytestream_get_be16(&data);
buf[size] = 0; av_strlcpy(buf, data, FFMIN(sizeof(buf), size + 1));
if (!size) { if (!size) {
av_log(ctx, AV_LOG_DEBUG, " }\n"); av_log(ctx, AV_LOG_DEBUG, " }\n");
data++; data++;
break; break;
} }
if (size < 0 || size >= data_end - data) if (size >= data_end - data)
return; return;
data += size; data += size;
av_log(ctx, AV_LOG_DEBUG, " %s: ", buf); av_log(ctx, AV_LOG_DEBUG, " %s: ", buf);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment