rtmp: fix buffer overflows in ff_amf_tag_contents()

A negative `size' will bypass FFMIN(). In the subsequent memcpy() call, `size' will be considered as a large positive value, leading to a buffer overflow. Change the type of `size' to unsigned int to avoid buffer overflow, and simplify overflow checks accordingly. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
12 years ago · 4e692374f7
parent 902cfe2f74
commit 4e692374f7
1 changed files with 5 additions and 6 deletions
--- a/libavformat/rtmppkt.c
+++ b/libavformat/rtmppkt.c
@ -440,7 +440,7 @@ static const char* rtmp_packet_type(int type)

 static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *data_end)
 {
-    int size;
+    unsigned int size;
    char buf[1024];

    if (data >= data_end)
@ -459,7 +459,7 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d
        } else {
            size = bytestream_get_be32(&data);
        }
-        size = FFMIN(size, 1023);
+        size = FFMIN(size, sizeof(buf) - 1);
        memcpy(buf, data, size);
        buf[size] = 0;
        av_log(ctx, AV_LOG_DEBUG, " string '%s'\n", buf);
@ -472,16 +472,15 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d
    case AMF_DATA_TYPE_OBJECT:
        av_log(ctx, AV_LOG_DEBUG, " {\n");
        for (;;) {
-            int size = bytestream_get_be16(&data);
            int t;
-            memcpy(buf, data, size);
-            buf[size] = 0;
+            size = bytestream_get_be16(&data);
+            av_strlcpy(buf, data, FFMIN(sizeof(buf), size + 1));
            if (!size) {
                av_log(ctx, AV_LOG_DEBUG, " }\n");
                data++;
                break;
            }
-            if (size < 0 || size >= data_end - data)
+            if (size >= data_end - data)
                return;
            data += size;
            av_log(ctx, AV_LOG_DEBUG, "  %s: ", buf);