RTMP: totally broken, disabled for the time being

[vlc] / modules / access / rtmp / rtmp_amf_flv.c

diff --git a/modules/access/rtmp/rtmp_amf_flv.c b/modules/access/rtmp/rtmp_amf_flv.c
index 40cdc5aa6792821af1cd522f92ba76ba895102f5..a639221c4560380f1b5249864548c3d4ebff0e48 100644 (file)
--- a/modules/access/rtmp/rtmp_amf_flv.c
+++ b/modules/access/rtmp/rtmp_amf_flv.c
@@ -391,7 +391,7 @@ write_rtmp( rtmp_control_thread_t *p_thread, uint8_t *buf,
     free( buf );
     if( ret != enclen )
     {
-        msg_Err( p_thread, errmsg );
+        msg_Err( p_thread, "%s", errmsg );
         return 0;
     }
     return 1;
@@ -741,7 +741,7 @@ rtmp_build_bytes_read( rtmp_control_thread_t *p_thread, uint32_t reply )
     /* Build bytes read packet */
     rtmp_body = rtmp_body_new( -1 );
 
-    tmp_buffer = (uint8_t *) malloc( sizeof( uint32_t ) * sizeof( uint8_t ) );
+    tmp_buffer = (uint8_t *) malloc( sizeof( uint32_t ) );
     if( !tmp_buffer ) return NULL;
 
     reply = hton32( reply );
@@ -878,12 +878,13 @@ rtmp_build_flv_over_rtmp( rtmp_control_thread_t *p_thread, block_t *p_buffer )
     return rtmp_packet;
 }
 
+/* This function must be cancellation-safe! */
 rtmp_packet_t *
 rtmp_read_net_packet( rtmp_control_thread_t *p_thread )
 {
     int length_header;
     int stream_index;
-    int bytes_left;
+    size_t bytes_left;
     uint8_t p_read[12];
     rtmp_packet_t *header;
     ssize_t i_ret;
@@ -894,7 +895,7 @@ rtmp_read_net_packet( rtmp_control_thread_t *p_thread )
         if( i_ret != 1 )
             goto error;
 
-        length_header = rtmp_decode_header_size( (vlc_object_t *) p_thread,
+        length_header = rtmp_decode_header_size( VLC_OBJECT(p_thread),
                                           p_read[0] & RTMP_HEADER_SIZE_MASK );
         stream_index = p_read[0] & RTMP_HEADER_STREAM_INDEX_MASK;
         header = p_thread->rtmp_headers_recv+stream_index;
@@ -948,7 +949,7 @@ rtmp_read_net_packet( rtmp_control_thread_t *p_thread )
         i_ret = net_Read( p_thread, p_thread->fd, NULL,
             header->body->body + header->body->length_body, bytes_left, true );
 
-        if( i_ret != bytes_left )
+        if( i_ret != (ssize_t)bytes_left )
             goto error;
 
         header->body->length_body += bytes_left;
@@ -956,7 +957,7 @@ rtmp_read_net_packet( rtmp_control_thread_t *p_thread )
         if( header->length_body == header->body->length_body )
         {
             rtmp_packet_t *rpkt = (rtmp_packet_t*)malloc(sizeof(rtmp_packet_t));
-            if( !rpkt ) goto error;
+            if( !rpkt ) return NULL;
 
             rpkt->stream_index       = stream_index;
             rpkt->timestamp          = header->timestamp;
@@ -1063,6 +1064,11 @@ rtmp_handler_invoke( rtmp_control_thread_t *p_thread, rtmp_packet_t *rtmp_packet
 
     i++; /* Pass over AMF_DATATYPE_STRING */
     string = amf_decode_string( &i );
+    if( !string )
+    {
+        msg_Err(p_thread,"Seriously broken stream");
+        return;
+    }
 
     i++; /* Pass over AMF_DATATYPE_NUMBER */
     number = amf_decode_number( &i );
@@ -1277,6 +1283,7 @@ rtmp_handler_invoke( rtmp_control_thread_t *p_thread, rtmp_packet_t *rtmp_packet
                     msg_Dbg( p_thread, "key: %s value: %s", string, string2 );
                     if( strcmp( "code", string ) == 0 )
                     {
+#warning Locking bugs here.
                         if( strcmp( "NetConnection.Connect.Success", string2 ) == 0 )
                         {
                             p_thread->result_connect = 0;
@@ -1287,8 +1294,6 @@ rtmp_handler_invoke( rtmp_control_thread_t *p_thread, rtmp_packet_t *rtmp_packet
                         }
                         else if( strcmp( "NetConnection.Connect.InvalidApp", string2 ) == 0 )
                         {
-                            p_thread->b_die = 1; 
-
                             vlc_mutex_lock( &p_thread->lock );
                             vlc_cond_signal( &p_thread->wait );
                             vlc_mutex_unlock( &p_thread->lock );
@@ -2191,6 +2196,10 @@ amf_decode_string( uint8_t **buffer )
     length = ntoh16( *(uint16_t *) *buffer );
     *buffer += sizeof( uint16_t );
 
+#error This size is wrong and breaks just about everything.
+    if( length > sizeof( *buffer ) / sizeof( uint8_t ))
+        return NULL;
+
     out = (char *) malloc( length + 1 ); /* '\0' terminated */
     if( !out ) return NULL;