RTMP: Don't trust the length given by the stream

author Christophe Mutricy <xtophe@videolan.org>

Wed, 10 Feb 2010 23:31:56 +0000 (23:31 +0000)

committer Christophe Mutricy <xtophe@videolan.org>

Wed, 10 Feb 2010 23:38:55 +0000 (23:38 +0000)
author Christophe Mutricy <xtophe@videolan.org>
Wed, 10 Feb 2010 23:31:56 +0000 (23:31 +0000)
committer Christophe Mutricy <xtophe@videolan.org>
Wed, 10 Feb 2010 23:38:55 +0000 (23:38 +0000)
diff --git a/modules/access/rtmp/rtmp_amf_flv.c b/modules/access/rtmp/rtmp_amf_flv.c

index ff5673f33a30ff7422ea3e327abc8597820d8275..efad33fa76a288bc9c2952f83b300d0c95747210 100644 (file)
--- a/modules/access/rtmp/rtmp_amf_flv.c
+++ b/modules/access/rtmp/rtmp_amf_flv.c
@@ -1064,6 +1064,11 @@ rtmp_handler_invoke( rtmp_control_thread_t *p_thread, rtmp_packet_t *rtmp_packet
  
      i++; /* Pass over AMF_DATATYPE_STRING */
      string = amf_decode_string( &i );
+    if( !string )
+    {
+        msg_Err(p_thread,"Seriously broken stream");
+        return;
+    }
  
      i++; /* Pass over AMF_DATATYPE_NUMBER */
      number = amf_decode_number( &i );
@@ -2191,6 +2196,9 @@ amf_decode_string( uint8_t **buffer )
      length = ntoh16( *(uint16_t *) *buffer );
      *buffer += sizeof( uint16_t );
  
+    if( length > sizeof( *buffer ) / sizeof( uint8_t ))
+        return NULL;
+
      out = (char *) malloc( length + 1 ); /* '\0' terminated */
      if( !out ) return NULL;
author	Christophe Mutricy <xtophe@videolan.org>
	Wed, 10 Feb 2010 23:31:56 +0000 (23:31 +0000)
committer	Christophe Mutricy <xtophe@videolan.org>
	Wed, 10 Feb 2010 23:38:55 +0000 (23:38 +0000)