The branch, master has been updated
via 83e0298de217a7108ee703806d6380e554007972 (commit)
via a64e037429f20873ec48f6c82aa145ab448e1399 (commit)
from fa959bb135bf95edc0f4bcc7ab8c327532f64694 (commit)
- Log -----------------------------------------------------------------
commit 83e0298de217a7108ee703806d6380e554007972
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Oct 30 23:20:41 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sat Nov 1 19:54:07 2025 +0100
avformat/rtmpproto: consider command line argument lengths
Fixes: out of array access
Fixes: zeropath/rtmp-2025-10
Found-by: Joshua Rogers <[email protected]>
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 5de3bebc62..b029c57621 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -163,6 +163,13 @@ static int handle_chunk_size(URLContext *s, RTMPPacket
*pkt);
static int handle_window_ack_size(URLContext *s, RTMPPacket *pkt);
static int handle_set_peer_bw(URLContext *s, RTMPPacket *pkt);
+static size_t zstrlen(const char *c)
+{
+ if(c)
+ return strlen(c);
+ return 0;
+}
+
static int add_tracked_method(RTMPContext *rt, const char *name, int id)
{
int err;
@@ -327,7 +334,16 @@ static int gen_connect(URLContext *s, RTMPContext *rt)
int ret;
if ((ret = ff_rtmp_packet_create(&pkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE,
- 0, 4096 + APP_MAX_LENGTH)) < 0)
+ 0, 4096 + APP_MAX_LENGTH
+ + strlen(rt->auth_params) +
strlen(rt->flashver)
+ + zstrlen(rt->enhanced_codecs)/5*7
+ + zstrlen(rt->swfurl)
+ + zstrlen(rt->swfverify)
+ + zstrlen(rt->tcurl)
+ + zstrlen(rt->auth_params)
+ + zstrlen(rt->pageurl)
+ + zstrlen(rt->conn)*3
+ )) < 0)
return ret;
p = pkt.data;
@@ -1926,7 +1942,9 @@ static int write_status(URLContext *s, RTMPPacket *pkt,
if ((ret = ff_rtmp_packet_create(&spkt, RTMP_SYSTEM_CHANNEL,
RTMP_PT_INVOKE, 0,
- RTMP_PKTDATA_DEFAULT_SIZE)) < 0) {
+ RTMP_PKTDATA_DEFAULT_SIZE
+ + strlen(status) + strlen(description)
+ + zstrlen(details))) < 0) {
av_log(s, AV_LOG_ERROR, "Unable to create response packet\n");
return ret;
}
commit a64e037429f20873ec48f6c82aa145ab448e1399
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Oct 30 23:05:57 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sat Nov 1 19:53:46 2025 +0100
avformat/rtmpproto_ Check tcurl and flashver length
Fixes: out of array accesses
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 4f866eb76c..5de3bebc62 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -2859,6 +2859,12 @@ reconnect:
"FMLE/3.0 (compatible; %s)", LIBAVFORMAT_IDENT);
}
}
+ if ( strlen(rt->flashver) > FLASHVER_MAX_LENGTH
+ || strlen(rt->tcurl ) > TCURL_MAX_LENGTH
+ ) {
+ ret = AVERROR(EINVAL);
+ goto fail;
+ }
rt->receive_report_size = 1048576;
rt->bytes_read = 0;
-----------------------------------------------------------------------
Summary of changes:
libavformat/rtmpproto.c | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
hooks/post-receive
--
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
