On Thu, 26 Jul 2012, Samuel Pitoiset wrote:
On Thu, Jul 26, 2012 at 7:27 PM, Martin Storsjö <mar...@martin.st> wrote:
On Thu, 26 Jul 2012, Samuel Pitoiset wrote:
---
libavformat/rtmpproto.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index a2efe38..a32c4a9 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -915,6 +915,12 @@ static int handle_ping(URLContext *s, RTMPPacket
*pkt)
t = AV_RB16(pkt->data);
if (t == 6) {
+ if (pkt->data_size < 6) {
+ av_log(s, AV_LOG_ERROR, "Too short ping packet (%d)\n",
+ pkt->data_size);
+ return AVERROR_INVALIDDATA;
+ }
+
The commit and warning messages are good this time, however the code itself
is wrong in two different ways. Where did you get the number 6, and why do
you do the check here?
I played a stream using a FMS and I used Wireshark in order to find
the size of a ping packet.
I do the check here because that handle function can received other
packets like a swfverification request, for example. And if this
packet is not 6 bytes long a *wrong* error code is returned.
Your argumentation is flawed, and so is your way of figuring out the size
limit.
Why do we check the size of buffers?
// Martin
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
