Skip to content

Commit ffcc822

Browse files
committed
avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2
Fixes: out of array accesses Found-by: JunDong Xie of Ant-financial Light-Year Security Lab Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
1 parent 08c0734 commit ffcc822

File tree

1 file changed

+37
-20
lines changed

1 file changed

+37
-20
lines changed

Diff for: libavformat/rtmppkt.c

+37-20
Original file line numberDiff line numberDiff line change
@@ -505,53 +505,70 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end)
505505
return bytestream2_tell(&gb);
506506
}
507507

508-
int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
508+
static int amf_get_field_value2(GetByteContext *gb,
509509
const uint8_t *name, uint8_t *dst, int dst_size)
510510
{
511511
int namelen = strlen(name);
512512
int len;
513513

514-
while (*data != AMF_DATA_TYPE_OBJECT && data < data_end) {
515-
len = ff_amf_tag_size(data, data_end);
516-
if (len < 0)
517-
len = data_end - data;
518-
data += len;
514+
while (bytestream2_peek_byte(gb) != AMF_DATA_TYPE_OBJECT && bytestream2_get_bytes_left(gb) > 0) {
515+
int ret = amf_tag_skip(gb);
516+
if (ret < 0)
517+
return -1;
519518
}
520-
if (data_end - data < 3)
519+
if (bytestream2_get_bytes_left(gb) < 3)
521520
return -1;
522-
data++;
521+
bytestream2_get_byte(gb);
522+
523523
for (;;) {
524-
int size = bytestream_get_be16(&data);
524+
int size = bytestream2_get_be16(gb);
525525
if (!size)
526526
break;
527-
if (size < 0 || size >= data_end - data)
527+
if (size < 0 || size >= bytestream2_get_bytes_left(gb))
528528
return -1;
529-
data += size;
530-
if (size == namelen && !memcmp(data-size, name, namelen)) {
531-
switch (*data++) {
529+
bytestream2_skip(gb, size);
530+
if (size == namelen && !memcmp(gb->buffer-size, name, namelen)) {
531+
switch (bytestream2_get_byte(gb)) {
532532
case AMF_DATA_TYPE_NUMBER:
533-
snprintf(dst, dst_size, "%g", av_int2double(AV_RB64(data)));
533+
snprintf(dst, dst_size, "%g", av_int2double(bytestream2_get_be64(gb)));
534534
break;
535535
case AMF_DATA_TYPE_BOOL:
536-
snprintf(dst, dst_size, "%s", *data ? "true" : "false");
536+
snprintf(dst, dst_size, "%s", bytestream2_get_byte(gb) ? "true" : "false");
537537
break;
538538
case AMF_DATA_TYPE_STRING:
539-
len = bytestream_get_be16(&data);
540-
av_strlcpy(dst, data, FFMIN(len+1, dst_size));
539+
len = bytestream2_get_be16(gb);
540+
if (dst_size < 1)
541+
return -1;
542+
if (dst_size < len + 1)
543+
len = dst_size - 1;
544+
bytestream2_get_buffer(gb, dst, len);
545+
dst[len] = 0;
541546
break;
542547
default:
543548
return -1;
544549
}
545550
return 0;
546551
}
547-
len = ff_amf_tag_size(data, data_end);
548-
if (len < 0 || len >= data_end - data)
552+
len = amf_tag_skip(gb);
553+
if (len < 0 || bytestream2_get_bytes_left(gb) <= 0)
549554
return -1;
550-
data += len;
551555
}
552556
return -1;
553557
}
554558

559+
int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
560+
const uint8_t *name, uint8_t *dst, int dst_size)
561+
{
562+
GetByteContext gb;
563+
564+
if (data >= data_end)
565+
return -1;
566+
567+
bytestream2_init(&gb, data, data_end - data);
568+
569+
return amf_get_field_value2(&gb, name, dst, dst_size);
570+
}
571+
555572
static const char* rtmp_packet_type(int type)
556573
{
557574
switch (type) {

0 commit comments

Comments
 (0)