rtmpproto: Validate the embedded flv packet size before copying

This wasn't an issue prior to 58404738, when the whole RTMP packet
was copied at once and the length of the individual embedded flv
packets only were validated by the flv demuxer.

Prior to this patch, this could lead to reads and writes out of bound.

Signed-off-by: Martin Storsjö <martin@martin.st>

diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index e7e37a3656686e0917c4f4bc940b557078e3fe8a..3dbfc92c48aabe553954bf44adfc793eccae9625 100644 (file)
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -2221,6 +2221,8 @@ static int handle_metadata(RTMPContext *rt, RTMPPacket *pkt)
             pts = cts;
         ts += cts - pts;
         pts = cts;
+        if (size + 3 + 4 > pkt->data + pkt->size - next)
+            break;
         bytestream_put_byte(&p, type);
         bytestream_put_be24(&p, size);
         bytestream_put_be24(&p, ts);