aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Storsjö <martin@martin.st>2013-10-03 13:49:50 +0200
committerMartin Storsjö <martin@martin.st>2013-10-04 09:25:10 +0300
commitcd818b3a5709b9b08bd5901cb8863a8b61be265e (patch)
tree3d20e6827fecefa301a674b4fe6c8baaa2b390a4
parent8921e32f730c191543b84e61338bc9d549aa05a3 (diff)
downloadffmpeg-cd818b3a5709b9b08bd5901cb8863a8b61be265e.tar.gz
rtmpproto: Validate the embedded flv packet size before copying
This wasn't an issue prior to 58404738, when the whole RTMP packet was copied at once and the length of the individual embedded flv packets only were validated by the flv demuxer. Prior to this patch, this could lead to reads and writes out of bound. Signed-off-by: Martin Storsjö <martin@martin.st>
-rw-r--r--libavformat/rtmpproto.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index e7e37a3656..3dbfc92c48 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -2221,6 +2221,8 @@ static int handle_metadata(RTMPContext *rt, RTMPPacket *pkt)
pts = cts;
ts += cts - pts;
pts = cts;
+ if (size + 3 + 4 > pkt->data + pkt->size - next)
+ break;
bytestream_put_byte(&p, type);
bytestream_put_be24(&p, size);
bytestream_put_be24(&p, ts);