RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

rtmppkt: Check for packet size mismatches 

When receiving fragmented packets, the first packet declares the size,
and the later ones normally are small follow-on packets that don't repeat
the size and the other header fields. But technically, the later fragments
also can have a full header, declaring a different size than the previous
packet.

If the follow-on packet declares a larger size than the initial one, we
could end up writing outside of the allocation.

This fixes out of bounds writes.

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
This commit is contained in:
Michael Niedermayer 2016-12-05 11:14:51 +01:00 committed by Martin Storsjö
parent cdcfa97dc4
commit a4fec9a7ea
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libavformat/rtmppkt.c
View File

@ -235,6 +235,14 @@ static int rtmp_packet_read_one_chunk(URLContext *h, RTMPPacket *p,
if (hdr != RTMP_PS_TWELVEBYTES)
timestamp += prev_pkt[channel_id].timestamp;
if (prev_pkt[channel_id].read && size != prev_pkt[channel_id].size) {
av_log(h, AV_LOG_ERROR, "RTMP packet size mismatch %d != %d\n",
size, prev_pkt[channel_id].size);
ff_rtmp_packet_destroy(&prev_pkt[channel_id]);
prev_pkt[channel_id].read = 0;
return AVERROR_INVALIDDATA;
}
if (!prev_pkt[channel_id].read) {
if ((ret = ff_rtmp_packet_create(p, channel_id, type, timestamp,
size)) < 0)