rtmp: fix multiple broken overflow checks

Sanity checks like `data + size >= data_end || data + size < data' are broken, because `data + size < data' assumes pointer overflow, which is undefined behavior in C. Many compilers such as gcc/clang optimize such checks away. Use `size < 0 || size >= data_end - data' instead. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Martin Storsjö <martin@martin.st>
12 years ago · 3cff53369a
parent 2e4130037c
commit 3cff53369a
1 changed files with 6 additions and 6 deletions
--- a/libavformat/rtmppkt.c
+++ b/libavformat/rtmppkt.c
@ -356,11 +356,11 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end)
                data++;
                break;
            }
-            if (data + size >= data_end || data + size < data)
+            if (size < 0 || size >= data_end - data)
                return -1;
            data += size;
            t = ff_amf_tag_size(data, data_end);
-            if (t < 0 || data + t >= data_end)
+            if (t < 0 || t >= data_end - data)
                return -1;
            data += t;
        }
@ -389,7 +389,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
        int size = bytestream_get_be16(&data);
        if (!size)
            break;
-        if (data + size >= data_end || data + size < data)
+        if (size < 0 || size >= data_end - data)
            return -1;
        data += size;
        if (size == namelen && !memcmp(data-size, name, namelen)) {
@ -410,7 +410,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
            return 0;
        }
        len = ff_amf_tag_size(data, data_end);
-        if (len < 0 || data + len >= data_end || data + len < data)
+        if (len < 0 || len >= data_end - data)
            return -1;
        data += len;
    }
@ -481,13 +481,13 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d
                data++;
                break;
            }
-            if (data + size >= data_end || data + size < data)
+            if (size < 0 || size >= data_end - data)
                return;
            data += size;
            av_log(ctx, AV_LOG_DEBUG, "  %s: ", buf);
            ff_amf_tag_contents(ctx, data, data_end);
            t = ff_amf_tag_size(data, data_end);
-            if (t < 0 || data + t >= data_end)
+            if (t < 0 || t >= data_end - data)
                return;
            data += t;
        }