virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-11-23 21:54:53 +02:00
Code Issues Releases Activity

avformat/rtmpproto: consider command line argument lengths

Browse Source 
Fixes: out of array access
Fixes: zeropath/rtmp-2025-10

Found-by: Joshua Rogers <joshua@joshua.hu>
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2025-10-30 23:20:41 +01:00
parent a64e037429
commit 83e0298de2
1 changed files with 20 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
libavformat/rtmpproto.c
View File

@@ -163,6 +163,13 @@ static int handle_chunk_size(URLContext *s, RTMPPacket *pkt);
static int handle_window_ack_size(URLContext *s, RTMPPacket *pkt);
static int handle_set_peer_bw(URLContext *s, RTMPPacket *pkt);
static size_t zstrlen(const char *c)
{
if(c)
return strlen(c);
return 0;
}
static int add_tracked_method(RTMPContext *rt, const char *name, int id)
{
int err;
@@ -327,7 +334,16 @@ static int gen_connect(URLContext *s, RTMPContext *rt)
int ret;
if ((ret = ff_rtmp_packet_create(&pkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE,
0, 4096 + APP_MAX_LENGTH)) < 0)
0, 4096 + APP_MAX_LENGTH
+ strlen(rt->auth_params) + strlen(rt->flashver)
+ zstrlen(rt->enhanced_codecs)/5*7
+ zstrlen(rt->swfurl)
+ zstrlen(rt->swfverify)
+ zstrlen(rt->tcurl)
+ zstrlen(rt->auth_params)
+ zstrlen(rt->pageurl)
+ zstrlen(rt->conn)*3
)) < 0)
return ret;
p = pkt.data;
@@ -1926,7 +1942,9 @@ static int write_status(URLContext *s, RTMPPacket *pkt,
if ((ret = ff_rtmp_packet_create(&spkt, RTMP_SYSTEM_CHANNEL,
RTMP_PT_INVOKE, 0,
RTMP_PKTDATA_DEFAULT_SIZE)) < 0) {
RTMP_PKTDATA_DEFAULT_SIZE
+ strlen(status) + strlen(description)
+ zstrlen(details))) < 0) {
av_log(s, AV_LOG_ERROR, "Unable to create response packet\n");
return ret;
}