diff options
| author | Xi Wang <xi.wang@gmail.com> | 2013-01-22 21:40:05 -0500 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-01-23 05:55:20 +0100 |
| commit | b59ee5dcf119f900a3e9f45098f9e992a5f26fd0 (patch) | |
| tree | f435c91b9acabe9e5bac46675715177e9d4d7b10 | |
| parent | e163d884ef6ccc52f02a176105098d15c451d6af (diff) | |
| download | ffmpeg-b59ee5dcf119f900a3e9f45098f9e992a5f26fd0.tar.gz | |
rtmp: fix buffer overflows in ff_amf_tag_contents()
A negative `size' will bypass FFMIN(). In the subsequent memcpy() call,
`size' will be considered as a large positive value, leading to a buffer
overflow.
Change the type of `size' to unsigned int to avoid buffer overflow, and
simplify overflow checks accordingly.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4e692374f7962ea358c329de38c380103f8991b6)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavformat/rtmppkt.c | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 5e75e3bd27..c65cfc1439 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -362,7 +362,7 @@ static const char* rtmp_packet_type(int type) static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *data_end) { - int size; + unsigned int size; char buf[1024]; if (data >= data_end) @@ -381,7 +381,7 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d } else { size = bytestream_get_be32(&data); } - size = FFMIN(size, 1023); + size = FFMIN(size, sizeof(buf) - 1); memcpy(buf, data, size); buf[size] = 0; av_log(ctx, AV_LOG_DEBUG, " string '%s'\n", buf); @@ -394,16 +394,15 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d case AMF_DATA_TYPE_OBJECT: av_log(ctx, AV_LOG_DEBUG, " {\n"); for (;;) { - int size = bytestream_get_be16(&data); int t; - memcpy(buf, data, size); - buf[size] = 0; + size = bytestream_get_be16(&data); + av_strlcpy(buf, data, FFMIN(sizeof(buf), size + 1)); if (!size) { av_log(ctx, AV_LOG_DEBUG, " }\n"); data++; break; } - if (size < 0 || size >= data_end - data) + if (size >= data_end - data) return; data += size; av_log(ctx, AV_LOG_DEBUG, " %s: ", buf); |