From d7474341857cf8482e3037648afbe4831590fa8e Mon Sep 17 00:00:00 2001
From: Christophe Mutricy <xtophe@videolan.org>
Date: Wed, 10 Feb 2010 23:31:56 +0000
Subject: [PATCH] RTMP: Don't trust the length given by the stream

and fix a null-dereference

Test url: rtmp://cp31335.live.edgefcs.net/live/ (no longer crash but doesn't work)
---
 modules/access/rtmp/rtmp_amf_flv.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/access/rtmp/rtmp_amf_flv.c b/modules/access/rtmp/rtmp_amf_flv.c
index ff5673f33a..efad33fa76 100644
--- a/modules/access/rtmp/rtmp_amf_flv.c
+++ b/modules/access/rtmp/rtmp_amf_flv.c
@@ -1064,6 +1064,11 @@ rtmp_handler_invoke( rtmp_control_thread_t *p_thread, rtmp_packet_t *rtmp_packet
 
     i++; /* Pass over AMF_DATATYPE_STRING */
     string = amf_decode_string( &i );
+    if( !string )
+    {
+        msg_Err(p_thread,"Seriously broken stream");
+        return;
+    }
 
     i++; /* Pass over AMF_DATATYPE_NUMBER */
     number = amf_decode_number( &i );
@@ -2191,6 +2196,9 @@ amf_decode_string( uint8_t **buffer )
     length = ntoh16( *(uint16_t *) *buffer );
     *buffer += sizeof( uint16_t );
 
+    if( length > sizeof( *buffer ) / sizeof( uint8_t ))
+        return NULL;
+
     out = (char *) malloc( length + 1 ); /* '\0' terminated */
     if( !out ) return NULL;
 
-- 
2.39.2