[vlc-devel] commit: RTMP: Don't trust the length given by the stream ( Christophe Mutricy )
git version control
git at videolan.org
Thu Feb 11 00:40:43 CET 2010
vlc | branch: master | Christophe Mutricy <xtophe at videolan.org> | Wed Feb 10 23:31:56 2010 +0000| [d7474341857cf8482e3037648afbe4831590fa8e] | committer: Christophe Mutricy
RTMP: Don't trust the length given by the stream
and fix a null-dereference
Test url: rtmp://cp31335.live.edgefcs.net/live/ (no longer crash but doesn't work)
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=d7474341857cf8482e3037648afbe4831590fa8e
---
modules/access/rtmp/rtmp_amf_flv.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/modules/access/rtmp/rtmp_amf_flv.c b/modules/access/rtmp/rtmp_amf_flv.c
index ff5673f..efad33f 100644
--- a/modules/access/rtmp/rtmp_amf_flv.c
+++ b/modules/access/rtmp/rtmp_amf_flv.c
@@ -1064,6 +1064,11 @@ rtmp_handler_invoke( rtmp_control_thread_t *p_thread, rtmp_packet_t *rtmp_packet
i++; /* Pass over AMF_DATATYPE_STRING */
string = amf_decode_string( &i );
+ if( !string )
+ {
+ msg_Err(p_thread,"Seriously broken stream");
+ return;
+ }
i++; /* Pass over AMF_DATATYPE_NUMBER */
number = amf_decode_number( &i );
@@ -2191,6 +2196,9 @@ amf_decode_string( uint8_t **buffer )
length = ntoh16( *(uint16_t *) *buffer );
*buffer += sizeof( uint16_t );
+ if( length > sizeof( *buffer ) / sizeof( uint8_t ))
+ return NULL;
+
out = (char *) malloc( length + 1 ); /* '\0' terminated */
if( !out ) return NULL;
More information about the vlc-devel
mailing list