rtmpproto: Validate the embedded flv packet size before copying

This wasn't an issue prior to 58404738, when the whole RTMP packet was copied at once and the length of the individual embedded flv packets only were validated by the flv demuxer. Prior to this patch, this could lead to reads and writes out of bound. Signed-off-by: Martin Storsjö <martin@martin.st>
2013-10-03 13:49:50 +02:00 · 2013-10-03 13:49:50 +02:00 · cd818b3a57
commit cd818b3a57
parent 8921e32f73
1 changed files with 2 additions and 0 deletions
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@ -2221,6 +2221,8 @@ static int handle_metadata(RTMPContext *rt, RTMPPacket *pkt)
            pts = cts;
        ts += cts - pts;
        pts = cts;
+        if (size + 3 + 4 > pkt->data + pkt->size - next)
+            break;
        bytestream_put_byte(&p, type);
        bytestream_put_be24(&p, size);
        bytestream_put_be24(&p, ts);