[vlc-devel] commit: RTMP: Don't trust the length given by the stream ( Christophe Mutricy )

[git version control]

vlc/vlc-1.0 | branch: master | Christophe Mutricy <xtophe at videolan.org> | Wed Feb 10 23:31:56 2010 +0000| [22ef8877c1a7df6a034febb2775be09a9a424bbf] | committer: Rémi Denis-Courmont 

RTMP: Don't trust the length given by the stream

and fix a null-dereference

Test url: rtmp://cp31335.live.edgefcs.net/live/ (no longer crash but doesn't work)
(cherry picked from commit d7474341857cf8482e3037648afbe4831590fa8e)

> http://git.videolan.org/gitweb.cgi/vlc/vlc-1.0.git/?a=commit;h=22ef8877c1a7df6a034febb2775be09a9a424bbf
---

 modules/access/rtmp/rtmp_amf_flv.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/modules/access/rtmp/rtmp_amf_flv.c b/modules/access/rtmp/rtmp_amf_flv.c
index ed3bd56..acdf9a3 100644
--- a/modules/access/rtmp/rtmp_amf_flv.c
+++ b/modules/access/rtmp/rtmp_amf_flv.c
@@ -1147,6 +1147,11 @@ rtmp_handler_invoke( rtmp_control_thread_t *p_thread, rtmp_packet_t *rtmp_packet
 
     i++; /* Pass over AMF_DATATYPE_STRING */
     string = amf_decode_string( &i );
+    if( !string )
+    {
+        msg_Err(p_thread,"Seriously broken stream");
+        return;
+    }
 
     i++; /* Pass over AMF_DATATYPE_NUMBER */
     number = amf_decode_number( &i );
@@ -2291,6 +2296,9 @@ amf_decode_string( uint8_t **buffer )
     length = ntoh16( *(uint16_t *) *buffer );
     *buffer += sizeof( uint16_t );
 
+    if( length > sizeof( *buffer ) / sizeof( uint8_t ))
+        return NULL;
+
     out = (char *) malloc( length + 1 ); /* '\0' terminated */
     if( !out ) return NULL;