diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-02-18 03:56:01 +0400 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-02-18 03:56:01 +0400 |
| commit | 7378101d41020ee9f4643740ebf1b9142afca557 (patch) | |
| tree | d23ff231538f8385182a4138a2d874fbc72fa378 /libavformat/rtmppkt.c | |
| parent | da5f4e4d19917bce4b9213ff3d433ddf30e22fe5 (diff) | |
| parent | 377fabc9e687a3c73fdb235f773f6e9151378ca5 (diff) | |
Merge branch 'release/0.8' into release/0.7
* release/0.8: (92 commits)
Update for 0.8.13
pngdec/filter: dont access out of array elements at the end
aacdec: check channel count
vqavideo: check chunk sizes before reading chunks
eamad: fix out of array accesses
roqvideodec: check dimensions validity
qdm2: check array index before use, fix out of array accesses
alsdec: check block length
huffyuvdec: Skip len==0 cases
huffyuvdec: Check init_vlc() return codes.
Update changelog for 0.7.7 release
mpeg12: do not decode extradata more than once.
indeo4/5: check empty tile size in decode_mb_info().
dfa: improve boundary checks in decode_dds1()
indeo5dec: Make sure we have had a valid gop header.
rv34: error out on size changes with frame threading
rtmp: fix buffer overflows in ff_amf_tag_contents()
rtmp: fix multiple broken overflow checks
Revert "h264: allow cropping to AVCodecContext.width/height"
h264: check ref_count validity for num_ref_idx_active_override_flag
...
Conflicts:
Doxyfile
RELEASE
VERSION
libavcodec/rv34.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavformat/rtmppkt.c')
| -rw-r--r-- | libavformat/rtmppkt.c | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 4b6d549f74..c65cfc1439 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -278,11 +278,11 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) data++; break; } - if (data + size >= data_end || data + size < data) + if (size < 0 || size >= data_end - data) return -1; data += size; t = ff_amf_tag_size(data, data_end); - if (t < 0 || data + t >= data_end) + if (t < 0 || t >= data_end - data) return -1; data += t; } @@ -311,7 +311,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, int size = bytestream_get_be16(&data); if (!size) break; - if (data + size >= data_end || data + size < data) + if (size < 0 || size >= data_end - data) return -1; data += size; if (size == namelen && !memcmp(data-size, name, namelen)) { @@ -332,7 +332,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, return 0; } len = ff_amf_tag_size(data, data_end); - if (len < 0 || data + len >= data_end || data + len < data) + if (len < 0 || len >= data_end - data) return -1; data += len; } @@ -362,7 +362,7 @@ static const char* rtmp_packet_type(int type) static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *data_end) { - int size; + unsigned int size; char buf[1024]; if (data >= data_end) @@ -381,7 +381,7 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d } else { size = bytestream_get_be32(&data); } - size = FFMIN(size, 1023); + size = FFMIN(size, sizeof(buf) - 1); memcpy(buf, data, size); buf[size] = 0; av_log(ctx, AV_LOG_DEBUG, " string '%s'\n", buf); @@ -394,22 +394,21 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d case AMF_DATA_TYPE_OBJECT: av_log(ctx, AV_LOG_DEBUG, " {\n"); for (;;) { - int size = bytestream_get_be16(&data); int t; - memcpy(buf, data, size); - buf[size] = 0; + size = bytestream_get_be16(&data); + av_strlcpy(buf, data, FFMIN(sizeof(buf), size + 1)); if (!size) { av_log(ctx, AV_LOG_DEBUG, " }\n"); data++; break; } - if (data + size >= data_end || data + size < data) + if (size >= data_end - data) return; data += size; av_log(ctx, AV_LOG_DEBUG, " %s: ", buf); ff_amf_tag_contents(ctx, data, data_end); t = ff_amf_tag_size(data, data_end); - if (t < 0 || data + t >= data_end) + if (t < 0 || t >= data_end - data) return; data += t; } |