On Thu, Jul 26, 2012 at 8:17 PM, Martin Storsjö <mar...@martin.st> wrote:
> On Thu, 26 Jul 2012, Samuel Pitoiset wrote:
>
>> On Thu, Jul 26, 2012 at 7:27 PM, Martin Storsjö <mar...@martin.st> wrote:
>>>
>>> On Thu, 26 Jul 2012, Samuel Pitoiset wrote:
>>>
>>>> ---
>>>> libavformat/rtmpproto.c | 6 ++++++
>>>> 1 file changed, 6 insertions(+)
>>>>
>>>> diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
>>>> index a2efe38..a32c4a9 100644
>>>> --- a/libavformat/rtmpproto.c
>>>> +++ b/libavformat/rtmpproto.c
>>>> @@ -915,6 +915,12 @@ static int handle_ping(URLContext *s, RTMPPacket
>>>> *pkt)
>>>>
>>>> t = AV_RB16(pkt->data);
>>>> if (t == 6) {
>>>> + if (pkt->data_size < 6) {
>>>> + av_log(s, AV_LOG_ERROR, "Too short ping packet (%d)\n",
>>>> + pkt->data_size);
>>>> + return AVERROR_INVALIDDATA;
>>>> + }
>>>> +
>>>
>>>
>>>
>>> The commit and warning messages are good this time, however the code
>>> itself
>>> is wrong in two different ways. Where did you get the number 6, and why
>>> do
>>> you do the check here?
>>
>>
>> I played a stream using a FMS and I used Wireshark in order to find
>> the size of a ping packet.
>>
>> I do the check here because that handle function can received other
>> packets like a swfverification request, for example. And if this
>> packet is not 6 bytes long a *wrong* error code is returned.
>
>
> Your argumentation is flawed, and so is your way of figuring out the size
> limit.
>
> Why do we check the size of buffers?
We check the size of buffers in order to prevent reading outside an
allocated buffer.
--
Best regards,
Samuel Pitoiset.
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
