diff options
author | Martin Storsjö <martin@martin.st> | 2013-10-03 13:49:50 +0200 |
---|---|---|
committer | Martin Storsjö <martin@martin.st> | 2013-10-04 09:25:10 +0300 |
commit | cd818b3a5709b9b08bd5901cb8863a8b61be265e (patch) | |
tree | 3d20e6827fecefa301a674b4fe6c8baaa2b390a4 | |
parent | 8921e32f730c191543b84e61338bc9d549aa05a3 (diff) | |
download | ffmpeg-cd818b3a5709b9b08bd5901cb8863a8b61be265e.tar.gz |
rtmpproto: Validate the embedded flv packet size before copying
This wasn't an issue prior to 58404738, when the whole RTMP packet
was copied at once and the length of the individual embedded flv
packets only were validated by the flv demuxer.
Prior to this patch, this could lead to reads and writes out of bound.
Signed-off-by: Martin Storsjö <martin@martin.st>
-rw-r--r-- | libavformat/rtmpproto.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index e7e37a3656..3dbfc92c48 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -2221,6 +2221,8 @@ static int handle_metadata(RTMPContext *rt, RTMPPacket *pkt) pts = cts; ts += cts - pts; pts = cts; + if (size + 3 + 4 > pkt->data + pkt->size - next) + break; bytestream_put_byte(&p, type); bytestream_put_be24(&p, size); bytestream_put_be24(&p, ts); |