[rtmpdump] branch master updated. fa8646d Fix issue 6-7/7 from LMX of Qihoo 360 Codesafe Team

rtmpdump at mplayerhq.hu rtmpdump at mplayerhq.hu
Wed Dec 23 20:10:08 CET 2015


The branch, master has been updated
       via  fa8646daeb19dfd12c181f7d19de708d623704c0 (commit)
       via  07c10ae612bf5c2dbea594dcbd4da85c54dba1e4 (commit)
       via  7c68ad18f4296911114470bb4caaa673d55c8447 (commit)
       via  f3042b5bb7dcb42eda32ad9dd88029b24a2c282b (commit)
       via  71fe4f2435beaccca046dad3905840615b76b085 (commit)
      from  3a69b314a5763c370406149dc1be456db294065a (commit)


- Log -----------------------------------------------------------------
commit fa8646daeb19dfd12c181f7d19de708d623704c0
Author:     Howard Chu <hyc at highlandsun.com>
AuthorDate: Wed Dec 23 18:58:50 2015 +0000
Commit:     Howard Chu <hyc at highlandsun.com>
CommitDate: Wed Dec 23 19:09:27 2015 +0000

    Fix issue 6-7/7 from LMX of Qihoo 360 Codesafe Team
    
    Additional decode input size checks

diff --git a/librtmp/amf.c b/librtmp/amf.c
index b783d35..7954144 100644
--- a/librtmp/amf.c
+++ b/librtmp/amf.c
@@ -519,9 +519,11 @@ AMF3Prop_Decode(AMFObjectProperty *prop, const char *pBuffer, int nSize,
       if (name.av_len <= 0)
 	return nRes;
 
+      nSize -= nRes;
+      if (nSize <= 0)
+	return -1;
       prop->p_name = name;
       pBuffer += nRes;
-      nSize -= nRes;
     }
 
   /* decode */
@@ -607,6 +609,8 @@ AMF3Prop_Decode(AMFObjectProperty *prop, const char *pBuffer, int nSize,
 	  __FUNCTION__, (unsigned char)(*pBuffer), pBuffer);
       return -1;
     }
+  if (nSize < 0)
+    return -1;
 
   return nOriginalSize - nSize;
 }
@@ -1001,9 +1005,17 @@ AMF_DecodeArray(AMFObject *obj, const char *pBuffer, int nSize,
       int nRes;
       nArrayLen--;
 
+      if (nSize <= 0)
+	{
+	  bError = TRUE;
+	  break;
+	}
       nRes = AMFProp_Decode(&prop, pBuffer, nSize, bDecodeName);
       if (nRes == -1)
-	bError = TRUE;
+	{
+	  bError = TRUE;
+	  break;
+	}
       else
 	{
 	  nSize -= nRes;
@@ -1195,10 +1207,18 @@ AMF_Decode(AMFObject *obj, const char *pBuffer, int nSize, int bDecodeName)
 
       nRes = AMFProp_Decode(&prop, pBuffer, nSize, bDecodeName);
       if (nRes == -1)
-	bError = TRUE;
+	{
+	  bError = TRUE;
+	  break;
+	}
       else
 	{
 	  nSize -= nRes;
+	  if (nSize < 0)
+	    {
+	      bError = TRUE;
+	      break;
+	    }
 	  pBuffer += nRes;
 	  AMF_AddProp(obj, &prop);
 	}

commit 07c10ae612bf5c2dbea594dcbd4da85c54dba1e4
Author:     Howard Chu <hyc at highlandsun.com>
AuthorDate: Wed Dec 23 18:28:13 2015 +0000
Commit:     Howard Chu <hyc at highlandsun.com>
CommitDate: Wed Dec 23 19:09:27 2015 +0000

    Fix issue 5/7 from LMX of Qihoo 360 Codesafe Team
    
    Ignore zero-length packets

diff --git a/librtmp/rtmp.c b/librtmp/rtmp.c
index 057058b..a2863b0 100644
--- a/librtmp/rtmp.c
+++ b/librtmp/rtmp.c
@@ -1183,7 +1183,7 @@ RTMP_GetNextMediaPacket(RTMP *r, RTMPPacket *packet)
   while (!bHasMediaPacket && RTMP_IsConnected(r)
 	 && RTMP_ReadPacket(r, packet))
     {
-      if (!RTMPPacket_IsReady(packet))
+      if (!RTMPPacket_IsReady(packet) || !packet->m_nBodySize)
 	{
 	  continue;
 	}

commit 7c68ad18f4296911114470bb4caaa673d55c8447
Author:     Howard Chu <hyc at highlandsun.com>
AuthorDate: Wed Dec 23 18:10:15 2015 +0000
Commit:     Howard Chu <hyc at highlandsun.com>
CommitDate: Wed Dec 23 19:09:27 2015 +0000

    Fix issue 4/7 from LMX of Qihoo 360 Codesafe Team
    
    Potential integer overflow in RTMPPacket_Alloc().
    
    Aside: issue 3/7 could not be reproduced.

diff --git a/librtmp/rtmp.c b/librtmp/rtmp.c
index d3c4715..057058b 100644
--- a/librtmp/rtmp.c
+++ b/librtmp/rtmp.c
@@ -186,9 +186,12 @@ RTMPPacket_Reset(RTMPPacket *p)
 }
 
 int
-RTMPPacket_Alloc(RTMPPacket *p, int nSize)
+RTMPPacket_Alloc(RTMPPacket *p, uint32_t nSize)
 {
-  char *ptr = calloc(1, nSize + RTMP_MAX_HEADER_SIZE);
+  char *ptr;
+  if (nSize > SIZE_MAX - RTMP_MAX_HEADER_SIZE)
+    return FALSE;
+  ptr = calloc(1, nSize + RTMP_MAX_HEADER_SIZE);
   if (!ptr)
     return FALSE;
   p->m_body = ptr + RTMP_MAX_HEADER_SIZE;
diff --git a/librtmp/rtmp.h b/librtmp/rtmp.h
index 0248913..6d7dd89 100644
--- a/librtmp/rtmp.h
+++ b/librtmp/rtmp.h
@@ -136,7 +136,7 @@ extern "C"
 
   void RTMPPacket_Reset(RTMPPacket *p);
   void RTMPPacket_Dump(RTMPPacket *p);
-  int RTMPPacket_Alloc(RTMPPacket *p, int nSize);
+  int RTMPPacket_Alloc(RTMPPacket *p, uint32_t nSize);
   void RTMPPacket_Free(RTMPPacket *p);
 
 #define RTMPPacket_IsReady(a)	((a)->m_nBytesRead == (a)->m_nBodySize)

commit f3042b5bb7dcb42eda32ad9dd88029b24a2c282b
Author:     Howard Chu <hyc at highlandsun.com>
AuthorDate: Wed Dec 23 17:53:34 2015 +0000
Commit:     Howard Chu <hyc at highlandsun.com>
CommitDate: Wed Dec 23 19:09:27 2015 +0000

    Fix issue 2/7 from LMX of Qihoo 360 Codesafe Team
    
    Obsolete RTMPPacket_Free() call left over from original C++ to C rewrite

diff --git a/librtmp/rtmp.c b/librtmp/rtmp.c
index ca7db6a..d3c4715 100644
--- a/librtmp/rtmp.c
+++ b/librtmp/rtmp.c
@@ -3643,7 +3643,6 @@ RTMP_ReadPacket(RTMP *r, RTMPPacket *packet)
 	{
 	  packet->m_nBodySize = AMF_DecodeInt24(header + 3);
 	  packet->m_nBytesRead = 0;
-	  RTMPPacket_Free(packet);
 
 	  if (nSize > 6)
 	    {

commit 71fe4f2435beaccca046dad3905840615b76b085
Author:     Howard Chu <hyc at highlandsun.com>
AuthorDate: Wed Dec 23 17:51:39 2015 +0000
Commit:     Howard Chu <hyc at highlandsun.com>
CommitDate: Wed Dec 23 19:09:27 2015 +0000

    Fix issue 1/7 from LMX of Qihoo 360 Codesafe Team
    
    AMFProp_GetObject must make sure the prop is actually an object

diff --git a/librtmp/amf.c b/librtmp/amf.c
index 1c5f99f..b783d35 100644
--- a/librtmp/amf.c
+++ b/librtmp/amf.c
@@ -33,6 +33,7 @@
 #include "bytes.h"
 
 static const AMFObjectProperty AMFProp_Invalid = { {0, 0}, AMF_INVALID };
+static const AMFObject AMFObj_Invalid = { 0, 0 };
 static const AVal AV_empty = { 0, 0 };
 
 /* Data is Big-Endian */
@@ -340,13 +341,19 @@ AMFProp_GetBoolean(AMFObjectProperty *prop)
 void
 AMFProp_GetString(AMFObjectProperty *prop, AVal *str)
 {
-  *str = prop->p_vu.p_aval;
+  if (prop->p_type == AMF_STRING)
+    *str = prop->p_vu.p_aval;
+  else
+    *str = AV_empty;
 }
 
 void
 AMFProp_GetObject(AMFObjectProperty *prop, AMFObject *obj)
 {
-  *obj = prop->p_vu.p_object;
+  if (prop->p_type == AMF_OBJECT)
+    *obj = prop->p_vu.p_object;
+  else
+    *obj = AMFObj_Invalid;
 }
 
 int

-----------------------------------------------------------------------

Summary of changes:
 librtmp/amf.c  | 37 ++++++++++++++++++++++++++++++++-----
 librtmp/rtmp.c | 10 ++++++----
 librtmp/rtmp.h |  2 +-
 3 files changed, 39 insertions(+), 10 deletions(-)


hooks/post-receive
-- 



More information about the rtmpdump mailing list