rtmpproto: Check the buffer sizes when copying app/playpath strings

As pointed out by Reimar Döffinger.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>

1 files changed, 5 insertions, 4 deletions

diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 2962737ed0..0cc702ad62 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -2484,12 +2484,13 @@ reconnect:
     if (qmark && strstr(qmark, "slist=")) {
         char* amp;
         // After slist we have the playpath, before the params, the app
-        av_strlcpy(rt->app, path + 1, qmark - path);
+        av_strlcpy(rt->app, path + 1, FFMIN(qmark - path, APP_MAX_LENGTH));
         fname = strstr(path, "slist=") + 6;
         // Strip any further query parameters from fname
         amp = strchr(fname, '&');
         if (amp) {
-            av_strlcpy(fname_buffer, fname, amp - fname + 1);
+            av_strlcpy(fname_buffer, fname, FFMIN(amp - fname + 1,
+                                                  sizeof(fname_buffer)));
             fname = fname_buffer;
         }
     } else if (!strncmp(path, "/ondemand/", 10)) {
@@ -2507,10 +2508,10 @@ reconnect:
             fname = strchr(p + 1, '/');
             if (!fname || (c && c < fname)) {
                 fname = p + 1;
-                av_strlcpy(rt->app, path + 1, p - path);
+                av_strlcpy(rt->app, path + 1, FFMIN(p - path, APP_MAX_LENGTH));
             } else {
                 fname++;
-                av_strlcpy(rt->app, path + 1, fname - path - 1);
+                av_strlcpy(rt->app, path + 1, FFMIN(fname - path - 1, APP_MAX_LENGTH));
             }
         }
     }