[rtmpdump] branch master updated. fa8646d Fix issue 6-7/7 from LMX of Qihoo 360 Codesafe Team
rtmpdump at mplayerhq.hu
rtmpdump at mplayerhq.hu
Wed Dec 23 20:10:08 CET 2015
The branch, master has been updated
via fa8646daeb19dfd12c181f7d19de708d623704c0 (commit)
via 07c10ae612bf5c2dbea594dcbd4da85c54dba1e4 (commit)
via 7c68ad18f4296911114470bb4caaa673d55c8447 (commit)
via f3042b5bb7dcb42eda32ad9dd88029b24a2c282b (commit)
via 71fe4f2435beaccca046dad3905840615b76b085 (commit)
from 3a69b314a5763c370406149dc1be456db294065a (commit)
- Log -----------------------------------------------------------------
commit fa8646daeb19dfd12c181f7d19de708d623704c0
Author: Howard Chu <hyc at highlandsun.com>
AuthorDate: Wed Dec 23 18:58:50 2015 +0000
Commit: Howard Chu <hyc at highlandsun.com>
CommitDate: Wed Dec 23 19:09:27 2015 +0000
Fix issue 6-7/7 from LMX of Qihoo 360 Codesafe Team
Additional decode input size checks
diff --git a/librtmp/amf.c b/librtmp/amf.c
index b783d35..7954144 100644
--- a/librtmp/amf.c
+++ b/librtmp/amf.c
@@ -519,9 +519,11 @@ AMF3Prop_Decode(AMFObjectProperty *prop, const char *pBuffer, int nSize,
if (name.av_len <= 0)
return nRes;
+ nSize -= nRes;
+ if (nSize <= 0)
+ return -1;
prop->p_name = name;
pBuffer += nRes;
- nSize -= nRes;
}
/* decode */
@@ -607,6 +609,8 @@ AMF3Prop_Decode(AMFObjectProperty *prop, const char *pBuffer, int nSize,
__FUNCTION__, (unsigned char)(*pBuffer), pBuffer);
return -1;
}
+ if (nSize < 0)
+ return -1;
return nOriginalSize - nSize;
}
@@ -1001,9 +1005,17 @@ AMF_DecodeArray(AMFObject *obj, const char *pBuffer, int nSize,
int nRes;
nArrayLen--;
+ if (nSize <= 0)
+ {
+ bError = TRUE;
+ break;
+ }
nRes = AMFProp_Decode(&prop, pBuffer, nSize, bDecodeName);
if (nRes == -1)
- bError = TRUE;
+ {
+ bError = TRUE;
+ break;
+ }
else
{
nSize -= nRes;
@@ -1195,10 +1207,18 @@ AMF_Decode(AMFObject *obj, const char *pBuffer, int nSize, int bDecodeName)
nRes = AMFProp_Decode(&prop, pBuffer, nSize, bDecodeName);
if (nRes == -1)
- bError = TRUE;
+ {
+ bError = TRUE;
+ break;
+ }
else
{
nSize -= nRes;
+ if (nSize < 0)
+ {
+ bError = TRUE;
+ break;
+ }
pBuffer += nRes;
AMF_AddProp(obj, &prop);
}
commit 07c10ae612bf5c2dbea594dcbd4da85c54dba1e4
Author: Howard Chu <hyc at highlandsun.com>
AuthorDate: Wed Dec 23 18:28:13 2015 +0000
Commit: Howard Chu <hyc at highlandsun.com>
CommitDate: Wed Dec 23 19:09:27 2015 +0000
Fix issue 5/7 from LMX of Qihoo 360 Codesafe Team
Ignore zero-length packets
diff --git a/librtmp/rtmp.c b/librtmp/rtmp.c
index 057058b..a2863b0 100644
--- a/librtmp/rtmp.c
+++ b/librtmp/rtmp.c
@@ -1183,7 +1183,7 @@ RTMP_GetNextMediaPacket(RTMP *r, RTMPPacket *packet)
while (!bHasMediaPacket && RTMP_IsConnected(r)
&& RTMP_ReadPacket(r, packet))
{
- if (!RTMPPacket_IsReady(packet))
+ if (!RTMPPacket_IsReady(packet) || !packet->m_nBodySize)
{
continue;
}
commit 7c68ad18f4296911114470bb4caaa673d55c8447
Author: Howard Chu <hyc at highlandsun.com>
AuthorDate: Wed Dec 23 18:10:15 2015 +0000
Commit: Howard Chu <hyc at highlandsun.com>
CommitDate: Wed Dec 23 19:09:27 2015 +0000
Fix issue 4/7 from LMX of Qihoo 360 Codesafe Team
Potential integer overflow in RTMPPacket_Alloc().
Aside: issue 3/7 could not be reproduced.
diff --git a/librtmp/rtmp.c b/librtmp/rtmp.c
index d3c4715..057058b 100644
--- a/librtmp/rtmp.c
+++ b/librtmp/rtmp.c
@@ -186,9 +186,12 @@ RTMPPacket_Reset(RTMPPacket *p)
}
int
-RTMPPacket_Alloc(RTMPPacket *p, int nSize)
+RTMPPacket_Alloc(RTMPPacket *p, uint32_t nSize)
{
- char *ptr = calloc(1, nSize + RTMP_MAX_HEADER_SIZE);
+ char *ptr;
+ if (nSize > SIZE_MAX - RTMP_MAX_HEADER_SIZE)
+ return FALSE;
+ ptr = calloc(1, nSize + RTMP_MAX_HEADER_SIZE);
if (!ptr)
return FALSE;
p->m_body = ptr + RTMP_MAX_HEADER_SIZE;
diff --git a/librtmp/rtmp.h b/librtmp/rtmp.h
index 0248913..6d7dd89 100644
--- a/librtmp/rtmp.h
+++ b/librtmp/rtmp.h
@@ -136,7 +136,7 @@ extern "C"
void RTMPPacket_Reset(RTMPPacket *p);
void RTMPPacket_Dump(RTMPPacket *p);
- int RTMPPacket_Alloc(RTMPPacket *p, int nSize);
+ int RTMPPacket_Alloc(RTMPPacket *p, uint32_t nSize);
void RTMPPacket_Free(RTMPPacket *p);
#define RTMPPacket_IsReady(a) ((a)->m_nBytesRead == (a)->m_nBodySize)
commit f3042b5bb7dcb42eda32ad9dd88029b24a2c282b
Author: Howard Chu <hyc at highlandsun.com>
AuthorDate: Wed Dec 23 17:53:34 2015 +0000
Commit: Howard Chu <hyc at highlandsun.com>
CommitDate: Wed Dec 23 19:09:27 2015 +0000
Fix issue 2/7 from LMX of Qihoo 360 Codesafe Team
Obsolete RTMPPacket_Free() call left over from original C++ to C rewrite
diff --git a/librtmp/rtmp.c b/librtmp/rtmp.c
index ca7db6a..d3c4715 100644
--- a/librtmp/rtmp.c
+++ b/librtmp/rtmp.c
@@ -3643,7 +3643,6 @@ RTMP_ReadPacket(RTMP *r, RTMPPacket *packet)
{
packet->m_nBodySize = AMF_DecodeInt24(header + 3);
packet->m_nBytesRead = 0;
- RTMPPacket_Free(packet);
if (nSize > 6)
{
commit 71fe4f2435beaccca046dad3905840615b76b085
Author: Howard Chu <hyc at highlandsun.com>
AuthorDate: Wed Dec 23 17:51:39 2015 +0000
Commit: Howard Chu <hyc at highlandsun.com>
CommitDate: Wed Dec 23 19:09:27 2015 +0000
Fix issue 1/7 from LMX of Qihoo 360 Codesafe Team
AMFProp_GetObject must make sure the prop is actually an object
diff --git a/librtmp/amf.c b/librtmp/amf.c
index 1c5f99f..b783d35 100644
--- a/librtmp/amf.c
+++ b/librtmp/amf.c
@@ -33,6 +33,7 @@
#include "bytes.h"
static const AMFObjectProperty AMFProp_Invalid = { {0, 0}, AMF_INVALID };
+static const AMFObject AMFObj_Invalid = { 0, 0 };
static const AVal AV_empty = { 0, 0 };
/* Data is Big-Endian */
@@ -340,13 +341,19 @@ AMFProp_GetBoolean(AMFObjectProperty *prop)
void
AMFProp_GetString(AMFObjectProperty *prop, AVal *str)
{
- *str = prop->p_vu.p_aval;
+ if (prop->p_type == AMF_STRING)
+ *str = prop->p_vu.p_aval;
+ else
+ *str = AV_empty;
}
void
AMFProp_GetObject(AMFObjectProperty *prop, AMFObject *obj)
{
- *obj = prop->p_vu.p_object;
+ if (prop->p_type == AMF_OBJECT)
+ *obj = prop->p_vu.p_object;
+ else
+ *obj = AMFObj_Invalid;
}
int
-----------------------------------------------------------------------
Summary of changes:
librtmp/amf.c | 37 ++++++++++++++++++++++++++++++++-----
librtmp/rtmp.c | 10 ++++++----
librtmp/rtmp.h | 2 +-
3 files changed, 39 insertions(+), 10 deletions(-)
hooks/post-receive
--
More information about the rtmpdump
mailing list