#define RESYNC_BUFFER_SIZE (1<<20)
+#define MAX_DEPTH 16 ///< arbitrary limit to prevent unbounded recursion
+
typedef struct FLVContext {
const AVClass *class; ///< Class for private options.
int trust_metadata; ///< configure streams according onMetaData
static int amf_get_string(AVIOContext *ioc, char *buffer, int buffsize)
{
+ int ret;
int length = avio_rb16(ioc);
if (length >= buffsize) {
avio_skip(ioc, length);
return -1;
}
- avio_read(ioc, buffer, length);
+ ret = avio_read(ioc, buffer, length);
+ if (ret < 0)
+ return ret;
+ if (ret < length)
+ return AVERROR_INVALIDDATA;
buffer[length] = '\0';
}
for (i = 0; i < arraylen && avio_tell(ioc) < max_pos - 1; i++) {
+ double d;
if (avio_r8(ioc) != AMF_DATA_TYPE_NUMBER)
goto invalid;
- current_array[0][i] = av_int2double(avio_rb64(ioc));
+ d = av_int2double(avio_rb64(ioc));
+ if (isnan(d) || d < INT64_MIN || d > INT64_MAX)
+ goto invalid;
+ current_array[0][i] = d;
}
if (times && filepositions) {
// All done, exiting at a position allowing amf_parse_object
double num_val;
amf_date date;
+ if (depth > MAX_DEPTH)
+ return AVERROR_PATCHWELCOME;
+
num_val = 0;
ioc = s->pb;
if (avio_feof(ioc))
}
}
-static int amf_skip_tag(AVIOContext *pb, AMFDataType type)
+static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth)
{
int nb = -1, ret, parse_name = 1;
+ if (depth > MAX_DEPTH)
+ return AVERROR_PATCHWELCOME;
+
+ if (avio_feof(pb))
+ return AVERROR_EOF;
+
switch (type) {
case AMF_DATA_TYPE_NUMBER:
avio_skip(pb, 8);
parse_name = 0;
case AMF_DATA_TYPE_MIXEDARRAY:
nb = avio_rb32(pb);
+ if (nb < 0)
+ return AVERROR_INVALIDDATA;
case AMF_DATA_TYPE_OBJECT:
while(!pb->eof_reached && (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY)) {
if (parse_name) {
}
avio_skip(pb, size);
}
- if ((ret = amf_skip_tag(pb, avio_r8(pb))) < 0)
+ if ((ret = amf_skip_tag(pb, avio_r8(pb), depth + 1)) < 0)
return ret;
}
break;
else
break;
} else {
- if ((ret = amf_skip_tag(pb, type)) < 0)
+ if ((ret = amf_skip_tag(pb, type, 0)) < 0)
goto skip;
}
}
avio_seek(s->pb, fsize - 3 - size, SEEK_SET);
if (size == avio_rb24(s->pb) + 11) {
uint32_t ts = avio_rb24(s->pb);
- ts |= avio_r8(s->pb) << 24;
+ ts |= (unsigned)avio_r8(s->pb) << 24;
if (ts)
s->duration = ts * (int64_t)AV_TIME_BASE / 1000;
else if (fsize >= 8 && fsize - 8 >= size) {
if (st->codecpar->codec_id == AV_CODEC_ID_H264 || st->codecpar->codec_id == AV_CODEC_ID_MPEG4) {
// sign extension
int32_t cts = (avio_rb24(s->pb) + 0xff800000) ^ 0xff800000;
- pts = dts + cts;
+ pts = av_sat_add64(dts, cts);
if (cts < 0) { // dts might be wrong
if (!flv->wrong_dts)
av_log(s, AV_LOG_WARNING,
.version = LIBAVUTIL_VERSION_INT,
};
-AVInputFormat ff_flv_demuxer = {
+const AVInputFormat ff_flv_demuxer = {
.name = "flv",
.long_name = NULL_IF_CONFIG_SMALL("FLV (Flash Video)"),
.priv_data_size = sizeof(FLVContext),
.version = LIBAVUTIL_VERSION_INT,
};
-AVInputFormat ff_live_flv_demuxer = {
+const AVInputFormat ff_live_flv_demuxer = {
.name = "live_flv",
.long_name = NULL_IF_CONFIG_SMALL("live RTMP FLV (Flash Video)"),
.priv_data_size = sizeof(FLVContext),
.version = LIBAVUTIL_VERSION_INT,
};
-AVInputFormat ff_kux_demuxer = {
+const AVInputFormat ff_kux_demuxer = {
.name = "kux",
.long_name = NULL_IF_CONFIG_SMALL("KUX (YouKu)"),
.priv_data_size = sizeof(FLVContext),