[libav-devel] [PATCH 6/6] rtmpproto: Validate the embedded flv packet size before copying

Martin Storsjö Thu, 03 Oct 2013 05:06:43 -0700

This wasn't an issue prior to 58404738, when the whole RTMP packet
was copied at once and the length of the individual embedded flv
packets only were validated by the flv demuxer.


Prior to this patch, this could lead to reads and writes out of bound.
---
 libavformat/rtmpproto.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index da4b8ae..db0ebb1 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -2221,6 +2221,8 @@ static int handle_metadata(RTMPContext *rt, RTMPPacket 
*pkt)
             pts = cts;
         ts += cts - pts;
         pts = cts;
+        if (size + 3 + 4 > pkt->data + pkt->size - next)
+            break;
         bytestream_put_byte(&p, type);
         bytestream_put_be24(&p, size);
         bytestream_put_be24(&p, ts);
-- 
1.7.9.4

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH 6/6] rtmpproto: Validate the embedded flv packet size before copying

Reply via email to