Skip to content

F
ffmpeg.wasm-core
Commit 8ea1459b authored by Samuel Pitoiset's avatar Samuel Pitoiset Committed by Martin Storsjö
Browse files
Options

rtmp: Check the buffer length of ping packets 

Signed-off-by: 's avatarMartin Storsjö <martin@martin.st>
parent e49e6b64
Hide whitespace changes
Inline Side-by-side
Showing with 12 additions and 0 deletions
libavformat/rtmpproto.c
View file @ 8ea1459b
...@@ -515,6 +515,12 @@ static int gen_pong(URLContext *s, RTMPContext *rt, RTMPPacket *ppkt) ...@@ -515,6 +515,12 @@ static int gen_pong(URLContext *s, RTMPContext *rt, RTMPPacket *ppkt)
uint8_t *p; uint8_t *p;
int ret; int ret;
if (ppkt->data_size < 6) {
av_log(s, AV_LOG_ERROR, "Too short ping packet (%d)\n",
ppkt->data_size);
return AVERROR_INVALIDDATA;
}
if ((ret = ff_rtmp_packet_create(&pkt, RTMP_NETWORK_CHANNEL, RTMP_PT_PING, if ((ret = ff_rtmp_packet_create(&pkt, RTMP_NETWORK_CHANNEL, RTMP_PT_PING,
ppkt->timestamp + 1, 6)) < 0) ppkt->timestamp + 1, 6)) < 0)
return ret; return ret;
...@@ -913,6 +919,12 @@ static int handle_ping(URLContext *s, RTMPPacket *pkt) ...@@ -913,6 +919,12 @@ static int handle_ping(URLContext *s, RTMPPacket *pkt)
RTMPContext *rt = s->priv_data; RTMPContext *rt = s->priv_data;
int t, ret; int t, ret;
if (pkt->data_size < 2) {
av_log(s, AV_LOG_ERROR, "Too short ping packet (%d)\n",
pkt->data_size);
return AVERROR_INVALIDDATA;
}
t = AV_RB16(pkt->data); t = AV_RB16(pkt->data);
if (t == 6) { if (t == 6) {
if ((ret = gen_pong(s, rt, pkt)) < 0) if ((ret = gen_pong(s, rt, pkt)) < 0)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment