Skip to content
Permalink
Browse files Browse the repository at this point in the history
avformat/rtmppkt: Check for packet size mismatches
Fixes out of array access

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
  • Loading branch information
michaelni committed Dec 5, 2016
1 parent d903b4e commit 7d57ca4
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions libavformat/rtmppkt.c
Expand Up @@ -235,6 +235,14 @@ static int rtmp_packet_read_one_chunk(URLContext *h, RTMPPacket *p,
if (hdr != RTMP_PS_TWELVEBYTES)
timestamp += prev_pkt[channel_id].timestamp;

if (prev_pkt[channel_id].read && size != prev_pkt[channel_id].size) {
av_log(NULL, AV_LOG_ERROR, "RTMP packet size mismatch %d != %d\n",
size,
prev_pkt[channel_id].size);
ff_rtmp_packet_destroy(&prev_pkt[channel_id]);
prev_pkt[channel_id].read = 0;
}

if (!prev_pkt[channel_id].read) {
if ((ret = ff_rtmp_packet_create(p, channel_id, type, timestamp,
size)) < 0)
Expand Down

1 comment on commit 7d57ca4

@carnil
Copy link

@carnil carnil commented on 7d57ca4 Feb 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is CVE-2016-10191

Please sign in to comment.