aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2017-07-28 14:37:26 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2017-07-29 14:17:57 +0200
commit6de5ec8ef818774c58a1c4cd9548534be0e54ecc (patch)
tree481d3dcd76871ddb4626a4a9ad2affd482649919
parent0d2b67d17c9b5faec1ca223c91128b8de9eb299c (diff)
downloadffmpeg-6de5ec8ef818774c58a1c4cd9548534be0e54ecc.tar.gz
avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2
Fixes: out of array accesses Found-by: JunDong Xie of Ant-financial Light-Year Security Lab Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit ffcc82219cef0928bed2d558b19ef6ea35634130) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavformat/rtmppkt.c57
1 files changed, 37 insertions, 20 deletions
diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c
index 2ea88d09c5..ca7838868e 100644
--- a/libavformat/rtmppkt.c
+++ b/libavformat/rtmppkt.c
@@ -505,53 +505,70 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end)
return bytestream2_tell(&gb);
}
-int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
+static int amf_get_field_value2(GetByteContext *gb,
const uint8_t *name, uint8_t *dst, int dst_size)
{
int namelen = strlen(name);
int len;
- while (*data != AMF_DATA_TYPE_OBJECT && data < data_end) {
- len = ff_amf_tag_size(data, data_end);
- if (len < 0)
- len = data_end - data;
- data += len;
+ while (bytestream2_peek_byte(gb) != AMF_DATA_TYPE_OBJECT && bytestream2_get_bytes_left(gb) > 0) {
+ int ret = amf_tag_skip(gb);
+ if (ret < 0)
+ return -1;
}
- if (data_end - data < 3)
+ if (bytestream2_get_bytes_left(gb) < 3)
return -1;
- data++;
+ bytestream2_get_byte(gb);
+
for (;;) {
- int size = bytestream_get_be16(&data);
+ int size = bytestream2_get_be16(gb);
if (!size)
break;
- if (size < 0 || size >= data_end - data)
+ if (size < 0 || size >= bytestream2_get_bytes_left(gb))
return -1;
- data += size;
- if (size == namelen && !memcmp(data-size, name, namelen)) {
- switch (*data++) {
+ bytestream2_skip(gb, size);
+ if (size == namelen && !memcmp(gb->buffer-size, name, namelen)) {
+ switch (bytestream2_get_byte(gb)) {
case AMF_DATA_TYPE_NUMBER:
- snprintf(dst, dst_size, "%g", av_int2double(AV_RB64(data)));
+ snprintf(dst, dst_size, "%g", av_int2double(bytestream2_get_be64(gb)));
break;
case AMF_DATA_TYPE_BOOL:
- snprintf(dst, dst_size, "%s", *data ? "true" : "false");
+ snprintf(dst, dst_size, "%s", bytestream2_get_byte(gb) ? "true" : "false");
break;
case AMF_DATA_TYPE_STRING:
- len = bytestream_get_be16(&data);
- av_strlcpy(dst, data, FFMIN(len+1, dst_size));
+ len = bytestream2_get_be16(gb);
+ if (dst_size < 1)
+ return -1;
+ if (dst_size < len + 1)
+ len = dst_size - 1;
+ bytestream2_get_buffer(gb, dst, len);
+ dst[len] = 0;
break;
default:
return -1;
}
return 0;
}
- len = ff_amf_tag_size(data, data_end);
- if (len < 0 || len >= data_end - data)
+ len = amf_tag_skip(gb);
+ if (len < 0 || bytestream2_get_bytes_left(gb) <= 0)
return -1;
- data += len;
}
return -1;
}
+int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
+ const uint8_t *name, uint8_t *dst, int dst_size)
+{
+ GetByteContext gb;
+
+ if (data >= data_end)
+ return -1;
+
+ bytestream2_init(&gb, data, data_end - data);
+
+ return amf_get_field_value2(&gb, name, dst, dst_size);
+}
+
static const char* rtmp_packet_type(int type)
{
switch (type) {