From ecb918e5f0a4395468862b5fbd11a51de9be3d4f Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Tue, 22 Jan 2013 21:40:05 -0500 Subject: [PATCH] rtmp: fix buffer overflows in ff_amf_tag_contents() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A negative `size' will bypass FFMIN(). In the subsequent memcpy() call, `size' will be considered as a large positive value, leading to a buffer overflow. Change the type of `size' to unsigned int to avoid buffer overflow, and simplify overflow checks accordingly. Also change a literal buffer size to use sizeof, and limit the amount of data copied in another memcpy call as well. Signed-off-by: Xi Wang Signed-off-by: Martin Storsjö --- libavformat/rtmppkt.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index a9d0a0d9f3..119cdfa765 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -440,7 +440,7 @@ static const char* rtmp_packet_type(int type) static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *data_end) { - int size; + unsigned int size; char buf[1024]; if (data >= data_end) @@ -459,7 +459,7 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d } else { size = bytestream_get_be32(&data); } - size = FFMIN(size, 1023); + size = FFMIN(size, sizeof(buf) - 1); memcpy(buf, data, size); buf[size] = 0; av_log(ctx, AV_LOG_DEBUG, " string '%s'\n", buf); @@ -472,16 +472,15 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d case AMF_DATA_TYPE_OBJECT: av_log(ctx, AV_LOG_DEBUG, " {\n"); for (;;) { - int size = bytestream_get_be16(&data); int t; - memcpy(buf, data, size); - buf[size] = 0; + size = bytestream_get_be16(&data); + av_strlcpy(buf, data, FFMIN(sizeof(buf), size + 1)); if (!size) { av_log(ctx, AV_LOG_DEBUG, " }\n"); data++; break; } - if (size < 0 || size >= data_end - data) + if (size >= data_end - data) return; data += size; av_log(ctx, AV_LOG_DEBUG, " %s: ", buf);