4641ae352e
Fixes potential security issue in case of running out of memory Found-by: ubitux Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
244 lines
7.0 KiB
C
244 lines
7.0 KiB
C
/*
|
|
* Session Announcement Protocol (RFC 2974) demuxer
|
|
* Copyright (c) 2010 Martin Storsjo
|
|
*
|
|
* This file is part of FFmpeg.
|
|
*
|
|
* FFmpeg is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* FFmpeg is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with FFmpeg; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*/
|
|
|
|
#include "avformat.h"
|
|
#include "libavutil/avassert.h"
|
|
#include "libavutil/avstring.h"
|
|
#include "libavutil/intreadwrite.h"
|
|
#include "network.h"
|
|
#include "os_support.h"
|
|
#include "internal.h"
|
|
#include "avio_internal.h"
|
|
#include "url.h"
|
|
#include "rtpdec.h"
|
|
#if HAVE_POLL_H
|
|
#include <poll.h>
|
|
#endif
|
|
|
|
struct SAPState {
|
|
URLContext *ann_fd;
|
|
AVFormatContext *sdp_ctx;
|
|
AVIOContext sdp_pb;
|
|
uint16_t hash;
|
|
char *sdp;
|
|
int eof;
|
|
};
|
|
|
|
static int sap_probe(AVProbeData *p)
|
|
{
|
|
if (av_strstart(p->filename, "sap:", NULL))
|
|
return AVPROBE_SCORE_MAX;
|
|
return 0;
|
|
}
|
|
|
|
static int sap_read_close(AVFormatContext *s)
|
|
{
|
|
struct SAPState *sap = s->priv_data;
|
|
if (sap->sdp_ctx)
|
|
avformat_close_input(&sap->sdp_ctx);
|
|
if (sap->ann_fd)
|
|
ffurl_close(sap->ann_fd);
|
|
av_freep(&sap->sdp);
|
|
ff_network_close();
|
|
return 0;
|
|
}
|
|
|
|
static int sap_read_header(AVFormatContext *s)
|
|
{
|
|
struct SAPState *sap = s->priv_data;
|
|
char host[1024], path[1024], url[1024];
|
|
uint8_t recvbuf[RTP_MAX_PACKET_LENGTH];
|
|
int port;
|
|
int ret, i;
|
|
AVInputFormat* infmt;
|
|
|
|
if (!ff_network_init())
|
|
return AVERROR(EIO);
|
|
|
|
av_url_split(NULL, 0, NULL, 0, host, sizeof(host), &port,
|
|
path, sizeof(path), s->filename);
|
|
if (port < 0)
|
|
port = 9875;
|
|
|
|
if (!host[0]) {
|
|
/* Listen for announcements on sap.mcast.net if no host was specified */
|
|
av_strlcpy(host, "224.2.127.254", sizeof(host));
|
|
}
|
|
|
|
ff_url_join(url, sizeof(url), "udp", NULL, host, port, "?localport=%d",
|
|
port);
|
|
ret = ffurl_open(&sap->ann_fd, url, AVIO_FLAG_READ,
|
|
&s->interrupt_callback, NULL);
|
|
if (ret)
|
|
goto fail;
|
|
|
|
while (1) {
|
|
int addr_type, auth_len;
|
|
int pos;
|
|
|
|
ret = ffurl_read(sap->ann_fd, recvbuf, sizeof(recvbuf) - 1);
|
|
if (ret == AVERROR(EAGAIN))
|
|
continue;
|
|
if (ret < 0)
|
|
goto fail;
|
|
recvbuf[ret] = '\0'; /* Null terminate for easier parsing */
|
|
if (ret < 8) {
|
|
av_log(s, AV_LOG_WARNING, "Received too short packet\n");
|
|
continue;
|
|
}
|
|
|
|
if ((recvbuf[0] & 0xe0) != 0x20) {
|
|
av_log(s, AV_LOG_WARNING, "Unsupported SAP version packet "
|
|
"received\n");
|
|
continue;
|
|
}
|
|
|
|
if (recvbuf[0] & 0x04) {
|
|
av_log(s, AV_LOG_WARNING, "Received stream deletion "
|
|
"announcement\n");
|
|
continue;
|
|
}
|
|
addr_type = recvbuf[0] & 0x10;
|
|
auth_len = recvbuf[1];
|
|
sap->hash = AV_RB16(&recvbuf[2]);
|
|
pos = 4;
|
|
if (addr_type)
|
|
pos += 16; /* IPv6 */
|
|
else
|
|
pos += 4; /* IPv4 */
|
|
pos += auth_len * 4;
|
|
if (pos + 4 >= ret) {
|
|
av_log(s, AV_LOG_WARNING, "Received too short packet\n");
|
|
continue;
|
|
}
|
|
#define MIME "application/sdp"
|
|
if (strcmp(&recvbuf[pos], MIME) == 0) {
|
|
pos += strlen(MIME) + 1;
|
|
} else if (strncmp(&recvbuf[pos], "v=0\r\n", 5) == 0) {
|
|
// Direct SDP without a mime type
|
|
} else {
|
|
av_log(s, AV_LOG_WARNING, "Unsupported mime type %s\n",
|
|
&recvbuf[pos]);
|
|
continue;
|
|
}
|
|
|
|
sap->sdp = av_strdup(&recvbuf[pos]);
|
|
break;
|
|
}
|
|
|
|
av_log(s, AV_LOG_VERBOSE, "SDP:\n%s\n", sap->sdp);
|
|
ffio_init_context(&sap->sdp_pb, sap->sdp, strlen(sap->sdp), 0, NULL, NULL,
|
|
NULL, NULL);
|
|
|
|
infmt = av_find_input_format("sdp");
|
|
if (!infmt)
|
|
goto fail;
|
|
sap->sdp_ctx = avformat_alloc_context();
|
|
if (!sap->sdp_ctx) {
|
|
ret = AVERROR(ENOMEM);
|
|
goto fail;
|
|
}
|
|
sap->sdp_ctx->max_delay = s->max_delay;
|
|
sap->sdp_ctx->pb = &sap->sdp_pb;
|
|
sap->sdp_ctx->interrupt_callback = s->interrupt_callback;
|
|
|
|
if ((ret = ff_copy_whitelists(sap->sdp_ctx, s)) < 0)
|
|
goto fail;
|
|
|
|
ret = avformat_open_input(&sap->sdp_ctx, "temp.sdp", infmt, NULL);
|
|
if (ret < 0)
|
|
goto fail;
|
|
if (sap->sdp_ctx->ctx_flags & AVFMTCTX_NOHEADER)
|
|
s->ctx_flags |= AVFMTCTX_NOHEADER;
|
|
for (i = 0; i < sap->sdp_ctx->nb_streams; i++) {
|
|
AVStream *st = avformat_new_stream(s, NULL);
|
|
if (!st) {
|
|
ret = AVERROR(ENOMEM);
|
|
goto fail;
|
|
}
|
|
st->id = i;
|
|
avcodec_copy_context(st->codec, sap->sdp_ctx->streams[i]->codec);
|
|
st->time_base = sap->sdp_ctx->streams[i]->time_base;
|
|
}
|
|
|
|
return 0;
|
|
|
|
fail:
|
|
sap_read_close(s);
|
|
return ret;
|
|
}
|
|
|
|
static int sap_fetch_packet(AVFormatContext *s, AVPacket *pkt)
|
|
{
|
|
struct SAPState *sap = s->priv_data;
|
|
int fd = ffurl_get_file_handle(sap->ann_fd);
|
|
int n, ret;
|
|
struct pollfd p = {fd, POLLIN, 0};
|
|
uint8_t recvbuf[RTP_MAX_PACKET_LENGTH];
|
|
|
|
if (sap->eof)
|
|
return AVERROR_EOF;
|
|
|
|
while (1) {
|
|
n = poll(&p, 1, 0);
|
|
if (n <= 0 || !(p.revents & POLLIN))
|
|
break;
|
|
ret = ffurl_read(sap->ann_fd, recvbuf, sizeof(recvbuf));
|
|
if (ret >= 8) {
|
|
uint16_t hash = AV_RB16(&recvbuf[2]);
|
|
/* Should ideally check the source IP address, too */
|
|
if (recvbuf[0] & 0x04 && hash == sap->hash) {
|
|
/* Stream deletion */
|
|
sap->eof = 1;
|
|
return AVERROR_EOF;
|
|
}
|
|
}
|
|
}
|
|
ret = av_read_frame(sap->sdp_ctx, pkt);
|
|
if (ret < 0)
|
|
return ret;
|
|
if (s->ctx_flags & AVFMTCTX_NOHEADER) {
|
|
while (sap->sdp_ctx->nb_streams > s->nb_streams) {
|
|
int i = s->nb_streams;
|
|
AVStream *st = avformat_new_stream(s, NULL);
|
|
if (!st) {
|
|
av_free_packet(pkt);
|
|
return AVERROR(ENOMEM);
|
|
}
|
|
st->id = i;
|
|
avcodec_copy_context(st->codec, sap->sdp_ctx->streams[i]->codec);
|
|
st->time_base = sap->sdp_ctx->streams[i]->time_base;
|
|
}
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
AVInputFormat ff_sap_demuxer = {
|
|
.name = "sap",
|
|
.long_name = NULL_IF_CONFIG_SMALL("SAP input"),
|
|
.priv_data_size = sizeof(struct SAPState),
|
|
.read_probe = sap_probe,
|
|
.read_header = sap_read_header,
|
|
.read_packet = sap_fetch_packet,
|
|
.read_close = sap_read_close,
|
|
.flags = AVFMT_NOFILE,
|
|
};
|