From 0bacfa8d37710b904897e7cbeb8d6f96fbf75e2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 8 May 2014 15:12:23 +0300 Subject: [PATCH] rtmpproto: Check the buffer sizes when copying app/playpath strings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As pointed out by Reimar Döffinger. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö --- libavformat/rtmpproto.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 2962737ed0..0cc702ad62 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -2484,12 +2484,13 @@ reconnect: if (qmark && strstr(qmark, "slist=")) { char* amp; // After slist we have the playpath, before the params, the app - av_strlcpy(rt->app, path + 1, qmark - path); + av_strlcpy(rt->app, path + 1, FFMIN(qmark - path, APP_MAX_LENGTH)); fname = strstr(path, "slist=") + 6; // Strip any further query parameters from fname amp = strchr(fname, '&'); if (amp) { - av_strlcpy(fname_buffer, fname, amp - fname + 1); + av_strlcpy(fname_buffer, fname, FFMIN(amp - fname + 1, + sizeof(fname_buffer))); fname = fname_buffer; } } else if (!strncmp(path, "/ondemand/", 10)) { @@ -2507,10 +2508,10 @@ reconnect: fname = strchr(p + 1, '/'); if (!fname || (c && c < fname)) { fname = p + 1; - av_strlcpy(rt->app, path + 1, p - path); + av_strlcpy(rt->app, path + 1, FFMIN(p - path, APP_MAX_LENGTH)); } else { fname++; - av_strlcpy(rt->app, path + 1, fname - path - 1); + av_strlcpy(rt->app, path + 1, FFMIN(fname - path - 1, APP_MAX_LENGTH)); } } }