RTMP: Don't trust the length given by the stream

and fix a null-dereference Test url: rtmp://cp31335.live.edgefcs.net/live/ (no longer crash but doesn't work)

RTMP: Don't trust the length given by the stream
and fix a null-dereference Test url: rtmp://cp31335.live.edgefcs.net/live/ (no longer crash but doesn't work)
d7474341 · Christophe Mutricy · 6e636d05 · d7474341
Commit d7474341 authored Feb 10, 2010 by Christophe Mutricy
Show whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

modules/access/rtmp/rtmp_amf_flv.c modules/access/rtmp/rtmp_amf_flv.c +8 -0

No files found.
--- a/modules/access/rtmp/rtmp_amf_flv.c
+++ b/modules/access/rtmp/rtmp_amf_flv.c
@@ -1064,6 +1064,11 @@ rtmp_handler_invoke( rtmp_control_thread_t *p_thread, rtmp_packet_t *rtmp_packet
    i++; /* Pass over AMF_DATATYPE_STRING */
    string = amf_decode_string( &i );
+    if( !string )
+    {
+        msg_Err(p_thread,"Seriously broken stream");
+        return;
+    }
    i++; /* Pass over AMF_DATATYPE_NUMBER */
    number = amf_decode_number( &i );
@@ -2191,6 +2196,9 @@ amf_decode_string( uint8_t **buffer )
    length = ntoh16( *(uint16_t *) *buffer );
    *buffer += sizeof( uint16_t );
+    if( length > sizeof( *buffer ) / sizeof( uint8_t ))
+        return NULL;
    out = (char *) malloc( length + 1 ); /* '\0' terminated */
    if( !out ) return NULL;