rtmpproto: Check the buffer sizes when copying app/playpath strings
As pointed out by Reimar Döffinger. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>
This commit is contained in:
Martin Storsjö
@@ -2484,12 +2484,13 @@ reconnect:
|
|||||||
if (qmark && strstr(qmark, "slist=")) {
|
if (qmark && strstr(qmark, "slist=")) {
|
||||||
char* amp;
|
char* amp;
|
||||||
// After slist we have the playpath, before the params, the app
|
// After slist we have the playpath, before the params, the app
|
||||||
av_strlcpy(rt->app, path + 1, qmark - path);
|
av_strlcpy(rt->app, path + 1, FFMIN(qmark - path, APP_MAX_LENGTH));
|
||||||
fname = strstr(path, "slist=") + 6;
|
fname = strstr(path, "slist=") + 6;
|
||||||
// Strip any further query parameters from fname
|
// Strip any further query parameters from fname
|
||||||
amp = strchr(fname, '&');
|
amp = strchr(fname, '&');
|
||||||
if (amp) {
|
if (amp) {
|
||||||
av_strlcpy(fname_buffer, fname, amp - fname + 1);
|
av_strlcpy(fname_buffer, fname, FFMIN(amp - fname + 1,
|
||||||
|
sizeof(fname_buffer)));
|
||||||
fname = fname_buffer;
|
fname = fname_buffer;
|
||||||
}
|
}
|
||||||
} else if (!strncmp(path, "/ondemand/", 10)) {
|
} else if (!strncmp(path, "/ondemand/", 10)) {
|
||||||
@@ -2507,10 +2508,10 @@ reconnect:
|
|||||||
fname = strchr(p + 1, '/');
|
fname = strchr(p + 1, '/');
|
||||||
if (!fname || (c && c < fname)) {
|
if (!fname || (c && c < fname)) {
|
||||||
fname = p + 1;
|
fname = p + 1;
|
||||||
av_strlcpy(rt->app, path + 1, p - path);
|
av_strlcpy(rt->app, path + 1, FFMIN(p - path, APP_MAX_LENGTH));
|
||||||
} else {
|
} else {
|
||||||
fname++;
|
fname++;
|
||||||
av_strlcpy(rt->app, path + 1, fname - path - 1);
|
av_strlcpy(rt->app, path + 1, FFMIN(fname - path - 1, APP_MAX_LENGTH));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user