Fixes: out of array accesses
Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ffcc82219c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array accesses
Fixes: crash-9238fa9e8d4fde3beda1f279626f53812cb001cb-SEGV
Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 08c073434e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes out of array access
Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7d57ca4d9a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Instead of returning EINVAL, which can cause a stream to fail to load, this
allows the tag to be passed through to the flv demuxer, where it's summarily
ignored.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* commit '024e5a2d5ff8a94adce48abb15ce2fb471f9d18e':
rtmppkt: Repeat the full 32 bit timestamp for chunking continuation packets
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This fixes sending chunked packets (packets larger than the output
chunk size, which often can be e.g. 4096 bytes) with a timestamp delta
(or absolute timstamp, if it's a timestamp step backwards, or the
first packet of the stream) larger than 0xffffffff.
The RTMP spec explicitly says (in section 5.3.1.3.) that packets of
type 3 (continuation packets) should include this field, if the
previous non-continuation packet had it included.
The receiving code handles these packets correctly.
Pointed out by Cheolho Park.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
We try to avoid mixing av_malloc with av_realloc, since av_malloc
may be implemented with functions that can't (formally) be mixed
with the functions used in av_realloc.
Signed-off-by: Martin Storsjö <martin@martin.st>
* commit '3b18857ab301d2a0b3e86e9d85eed76f0798a29c':
rtmppkt: Add method to read an AMF string that is not prefixed by its type
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '5b2ad78f97d43299adcb038c04346999fe9b196c':
rtmppkt: Handle extended timestamp field even for one-byte header
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Based on a suggestion by Martin Panter. This is more descriptive,
since it's the actual timestamp field from the RTMP packet,
which might or might not be a delta depending on context (in
some packets it's a delta, in some packets it's an absolute
timestamp, and in some packets it's 0xffffff to indicate that
the actual delta or absolute timestamp is transmitted separately).
Signed-off-by: Martin Storsjö <martin@martin.st>
Related fix in "rtmpdump":
https://repo.or.cz/w/rtmpdump.git/commitdiff/79459a2
Adobe's RTMP specification (21 Dec 2012), section 5.3.1.3 ("Extended
Timestamp"), says "this field is present in Type 3 chunks". Type 3 chunks are
those with the one-byte header size.
This resolves intermittent hangs and segfaults caused by the read function,
and also includes an untested fix for the write function.
The read function was tested with ABC (Australia) News 24 streams, however
they are probably restricted to only Australian internet addresses. Some of
the packets at the start of these streams seem to contain junk timestamp
fields, often requiring the extended field. Test command:
avplay rtmp://cp81899.live.edgefcs.net/live/news24-med@28772
Signed-off-by: Martin Storsjö <martin@martin.st>
* commit '89564be444d24f75ea5add8b6987e414cf7aa7d5':
rtmpproto: Send a full, absolute timestamp if it isn't monotonically growing
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The normal differential timestamps can't handle negative
differences, thus send a full packet header with an absolute
timestamp in these cases.
Signed-off-by: Martin Storsjö <martin@martin.st>
Normally, all channel ids are between 0 and 10, while they in
uncommon cases can have values up to 64k.
This avoids allocating two arrays for up to 64k entries (at a total
of over 6 MB in size) each when most of them aren't used at all.
Signed-off-by: Martin Storsjö <martin@martin.st>
And fix the AMF_DATA_TYPE_ARRAY parsing while at it.
A MIXEDARRAY type, as the ARRAY, store the number of elements in
an uint32 before the list. The ARRAY is strict and does not have
an OBJECT terminator, MIXEDARRAY behaves like an OBJECT type and
a different than stated number of element can be present.
A given packet won't always come in contiguously; sometimes
they may be broken up on chunk boundaries by packets of another
channel.
This support primarily involves tracking information about the
data that's been read, so the reader can pick up where it left
off for a given channel.
As a side effect, we no longer over-report the bytes read if
(toread = MIN(size, chunk_size)) == size
Signed-off-by: Martin Storsjö <martin@martin.st>
* commit '28306e6d620c109ddd672f7243adfbc2bbb3b18f':
network: factor out bind-listening code
use my full first name instead of short one in copyrights
Conflicts:
libavformat/tcp.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'e926b5ceb1962833f0c884a328382bc2eca67aff':
avformat: Drop unnecessary ff_ name prefixes from static functions
Conflicts:
libavformat/audiointerleave.c
libavformat/mux.c
libavformat/mxfenc.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
A negative `size' will bypass FFMIN(). In the subsequent memcpy() call,
`size' will be considered as a large positive value, leading to a buffer
overflow.
Change the type of `size' to unsigned int to avoid buffer overflow, and
simplify overflow checks accordingly. Also change a literal buffer
size to use sizeof, and limit the amount of data copied in another
memcpy call as well.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
Sanity checks like `data + size >= data_end || data + size < data' are
broken, because `data + size < data' assumes pointer overflow, which is
undefined behavior in C. Many compilers such as gcc/clang optimize such
checks away.
Use `size < 0 || size >= data_end - data' instead.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
A negative `size' will bypass FFMIN(). In the subsequent memcpy() call,
`size' will be considered as a large positive value, leading to a buffer
overflow.
Change the type of `size' to unsigned int to avoid buffer overflow, and
simplify overflow checks accordingly.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Sanity checks like `data + size >= data_end || data + size < data' are
broken, because `data + size < data' assumes pointer overflow, which is
undefined behavior in C. Many compilers such as gcc/clang optimize such
checks away.
Use `size < 0 || size >= data_end - data' instead.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit '33f28a3be3092f642778253d9529dd66fe2a014a':
rtmp: Add a function for writing AMF strings based on two substrings
rtmp: Return a proper error code in handle_invoke_error
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
Avoid C99 variable declarations within for statements.
rtmp: Read and handle incoming packets while writing data
doc: document THREAD_TYPE fate variable
rtpdec: Don't require frames to start with a Mode A packet
avconv: don't try to free threads that were not initialized.
Conflicts:
doc/fate.texi
ffplay.c
libavdevice/dv1394.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This makes sure all incoming packets are read and handled (and reacted
to) while sending an FLV stream over RTMP to a server. If there were
enough incoming data to fill the TCP buffers, this could potentially
make things block at unexpected places. For the upcoming RTMPT support,
we need to consume all incoming data before we can send the next
request.
Signed-off-by: Martin Storsjö <martin@martin.st>
* qatar/master:
movenc: Don't write the 'wave' atom or its child 'enda' for lpcm audio.
imc: some cosmetics
rtmp: Pass the proper return code in rtmp_handshake
rtmp: Check return codes of net IO operations
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
rtmp: Return a proper error code instead of -1
rtmp: Check malloc calls
rtmp: Check ff_rtmp_packet_create calls
lavfi: add audio mix filter
flvdec: Make sure sample_rate is set to the updated value
tqi: Pass errors from the MB decoder
Conflicts:
Changelog
doc/filters.texi
libavcodec/eatqi.c
libavfilter/Makefile
libavfilter/allfilters.c
libavfilter/version.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
x86: cabac: replace explicit memory references with "m" operands
avplay: don't request a stereo downmix
wmapro: use av_float2int()
lavc: avoid invalid memcpy() in avcodec_default_release_buffer()
lavu: replace int/float punning functions
lavfi: install libavfilter/vsrc_buffer.h
Remove extraneous semicolons
sdp: Restore the original mp4 format h264 extradata if converted
rtpenc: Add support for mp4 format h264
rtpenc: Simplify code by introducing a separate end pointer
movenc: Use the actual converted sample for RTP hinting
Fix a bunch of common typos.
Conflicts:
doc/developer.texi
doc/eval.texi
doc/filters.texi
doc/protocols.texi
ffmpeg.c
ffplay.c
libavcodec/mpegvideo.h
libavcodec/x86/cabac.h
libavfilter/Makefile
libavformat/avformat.h
libavformat/cafdec.c
libavformat/flvdec.c
libavformat/flvenc.c
libavformat/gxfenc.c
libavformat/img2.c
libavformat/movenc.c
libavformat/mpegts.c
libavformat/rtpenc_h264.c
libavformat/utils.c
libavformat/wtv.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>