fix GHSA-98cg-j83c-qhf7 librtmp invoke null handler

librtmp/include/rtmp-internal.h

@@ -119,34 +119,31 @@ struct rtmp_t
 
 	void (*onabort)(void* param, uint32_t chunk_stream_id);
 
-	union
+	struct
 	{
-		struct
-		{
-			// server side
-			int (*onconnect)(void* param, int r, double transaction, const struct rtmp_connect_t* connect);
-			int (*oncreate_stream)(void* param, int r, double transaction);
-			int (*onplay)(void* param, int r, double transaction, const char* stream_name, double start, double duration, uint8_t reset);
-			int (*ondelete_stream)(void* param, int r, double transaction, double stream_id);
-			int (*onreceive_audio)(void* param, int r, double transaction, uint8_t audio);
-			int (*onreceive_video)(void* param, int r, double transaction, uint8_t video);
-			int (*onpublish)(void* param, int r, double transaction, const char* stream_name, const char* stream_type);
-			int (*onseek)(void* param, int r, double transaction, double milliSeconds);
-			int (*onpause)(void* param, int r, double transaction, uint8_t pause, double milliSeconds);
-			int (*onget_stream_length)(void* param, int r, double transaction, const char* stream_name);
-		} server;
-
-		struct
-		{
-			// client side
-			int (*onconnect)(void* param);
-			int (*oncreate_stream)(void* param, double stream_id);
-			int (*onnotify)(void* param, enum rtmp_notify_t notify);
-            int (*oneof)(void* param, uint32_t stream_id); // EOF event
-			int (*onping)(void* param, uint32_t stream_id); // send pong
-			int (*onbandwidth)(void* param); // send window acknowledgement size
-		} client;
-	} u;
+		// server side
+		int (*onconnect)(void* param, int r, double transaction, const struct rtmp_connect_t* connect);
+		int (*oncreate_stream)(void* param, int r, double transaction);
+		int (*onplay)(void* param, int r, double transaction, const char* stream_name, double start, double duration, uint8_t reset);
+		int (*ondelete_stream)(void* param, int r, double transaction, double stream_id);
+		int (*onreceive_audio)(void* param, int r, double transaction, uint8_t audio);
+		int (*onreceive_video)(void* param, int r, double transaction, uint8_t video);
+		int (*onpublish)(void* param, int r, double transaction, const char* stream_name, const char* stream_type);
+		int (*onseek)(void* param, int r, double transaction, double milliSeconds);
+		int (*onpause)(void* param, int r, double transaction, uint8_t pause, double milliSeconds);
+		int (*onget_stream_length)(void* param, int r, double transaction, const char* stream_name);
+	} server;
+
+	struct
+	{
+		// client side
+		int (*onconnect)(void* param);
+		int (*oncreate_stream)(void* param, double stream_id);
+		int (*onnotify)(void* param, enum rtmp_notify_t notify);
+        int (*oneof)(void* param, uint32_t stream_id); // EOF event
+		int (*onping)(void* param, uint32_t stream_id); // send pong
+		int (*onbandwidth)(void* param); // send window acknowledgement size
+	} client;
 };
 
 /// @return 0-ok, other-error

librtmp/source/rtmp-client-invoke-handler.h

@@ -98,14 +98,14 @@ static int rtmp_command_onresult(struct rtmp_t* rtmp, double transaction, const
 		// 2. createStream
 		// 3. FCSubscribe
 		r = rtmp_command_onconnect_reply(&result, data, bytes);
-		return 0 == r ? rtmp->u.client.onconnect(rtmp->param) : r;
+		return 0 == r ? (rtmp->client.onconnect ? rtmp->client.onconnect(rtmp->param) : -1) : r;
 
 	case RTMP_TRANSACTION_CREATE_STREAM:
 		// next: 
 		// publish 
 		// or play/user control message event buffer time
 		r = rtmp_command_oncreate_stream_reply(data, bytes, &stream_id);
-		return 0 == r ? rtmp->u.client.oncreate_stream(rtmp->param, stream_id) : r;
+		return 0 == r ? (rtmp->client.oncreate_stream ? rtmp->client.oncreate_stream(rtmp->param, stream_id) : -1) : r;
 
 	case RTMP_TRANSACTION_GET_STREAM_LENGTH:
 		return rtmp_command_oncreate_stream_reply(data, bytes, &duration);
@@ -175,19 +175,19 @@ static int rtmp_command_onstatus(struct rtmp_t* rtmp, double transaction, const
 			|| 0 == strcasecmp(result.code, "NetStream.Record.Start")
 			|| 0 == strcasecmp(result.code, "NetStream.Publish.Start"))
 		{
-			rtmp->u.client.onnotify(rtmp->param, RTMP_NOTIFY_START);
+			rtmp->client.onnotify ? rtmp->client.onnotify(rtmp->param, RTMP_NOTIFY_START) : 0;
 		}
 		else if (0 == strcasecmp(result.code, "NetStream.Seek.Notify"))
 		{
-			rtmp->u.client.onnotify(rtmp->param, RTMP_NOTIFY_SEEK);
+			rtmp->client.onnotify ? rtmp->client.onnotify(rtmp->param, RTMP_NOTIFY_SEEK) : 0;
 		}
 		else if (0 == strcasecmp(result.code, "NetStream.Pause.Notify"))
 		{
-			rtmp->u.client.onnotify(rtmp->param, RTMP_NOTIFY_PAUSE);
+			rtmp->client.onnotify ? rtmp->client.onnotify(rtmp->param, RTMP_NOTIFY_PAUSE) : 0;
 		}
 		else if (0 == strcasecmp(result.code, "NetStream.Unpause.Notify"))
 		{
-			rtmp->u.client.onnotify(rtmp->param, RTMP_NOTIFY_START);
+			rtmp->client.onnotify ? rtmp->client.onnotify(rtmp->param, RTMP_NOTIFY_START) : 0;
 		}
 		else if (0 == strcasecmp(result.code, "NetStream.Play.Reset"))
 		{
@@ -197,7 +197,7 @@ static int rtmp_command_onstatus(struct rtmp_t* rtmp, double transaction, const
 				|| 0 == strcasecmp(result.code, "NetStream.Record.Stop")
 				|| 0 == strcasecmp(result.code, "NetStream.Play.Complete"))
 		{
-			rtmp->u.client.onnotify(rtmp->param, RTMP_NOTIFY_STOP);
+			rtmp->client.onnotify ? rtmp->client.onnotify(rtmp->param, RTMP_NOTIFY_STOP) : 0;
 		}
 		else if (0 == strcasecmp(result.code, "NetStream.Play.PublishNotify") 
 			|| 0 == strcasecmp(result.code, "NetStream.Play.UnpublishNotify"))

librtmp/source/rtmp-client.c

@@ -374,12 +374,12 @@ struct rtmp_client_t* rtmp_client_create(const char* appname, const char* playpa
 	ctx->rtmp.onvideo = rtmp_client_onvideo;
 	ctx->rtmp.onabort = rtmp_client_onabort;
 	ctx->rtmp.onscript = rtmp_client_onscript;
-	ctx->rtmp.u.client.onconnect = rtmp_client_onconnect;
-	ctx->rtmp.u.client.oncreate_stream = rtmp_client_oncreate_stream;
-	ctx->rtmp.u.client.onnotify = rtmp_client_onnotify;
-	ctx->rtmp.u.client.onping = rtmp_client_onping;
-    ctx->rtmp.u.client.oneof = rtmp_client_oneof;
-	ctx->rtmp.u.client.onbandwidth = rtmp_client_onbandwidth;
+	ctx->rtmp.client.onconnect = rtmp_client_onconnect;
+	ctx->rtmp.client.oncreate_stream = rtmp_client_oncreate_stream;
+	ctx->rtmp.client.onnotify = rtmp_client_onnotify;
+	ctx->rtmp.client.onping = rtmp_client_onping;
+    ctx->rtmp.client.oneof = rtmp_client_oneof;
+	ctx->rtmp.client.onbandwidth = rtmp_client_onbandwidth;
 
 	snprintf(ctx->connect.app, sizeof(ctx->connect.app) - 1, "%s", appname);
 	if (tcurl) snprintf(ctx->connect.tcUrl, sizeof(ctx->connect.tcUrl) - 1, "%s", tcurl);

librtmp/source/rtmp-control-handler.c

@@ -105,7 +105,7 @@ int rtmp_control_handler(struct rtmp_t* rtmp, const struct rtmp_chunk_header_t*
 		assert(5 == header->length);
 		if (5 == rtmp_read_set_peer_bandwidth(data, header->length, &rtmp->peer_bandwidth, &rtmp->limit_type))
 		{
-			rtmp->u.client.onbandwidth(rtmp->param);
+			rtmp->client.onbandwidth ? rtmp->client.onbandwidth(rtmp->param) : 0;
 			return 5;
 		}
 		return 0;

librtmp/source/rtmp-event.c

@@ -122,7 +122,7 @@ int rtmp_event_handler(struct rtmp_t* rtmp, const struct rtmp_chunk_header_t* he
 		return 6;
 
     case RTMP_EVENT_STREAM_EOF:
-        rtmp->u.client.oneof(rtmp->param, streamId);
+		rtmp->client.oneof ? rtmp->client.oneof(rtmp->param, streamId) : 0;
 		return 6;
 
 	case RTMP_EVENT_SET_BUFFER_LENGTH:
@@ -131,7 +131,7 @@ int rtmp_event_handler(struct rtmp_t* rtmp, const struct rtmp_chunk_header_t* he
 		return 10;
 
 	case RTMP_EVENT_PING:
-		rtmp->u.client.onping(rtmp->param, streamId);
+		rtmp->client.onping ? rtmp->client.onping(rtmp->param, streamId) : 0;
 		return 6;
 
 	case RTMP_EVENT_PONG:

librtmp/source/rtmp-invoke-handler.c

@@ -29,7 +29,7 @@ static int rtmp_command_onconnect(struct rtmp_t* rtmp, double transaction, const
 	AMF_OBJECT_ITEM_VALUE(items[0], AMF_OBJECT, "command", commands, sizeof(commands) / sizeof(commands[0]));
 
 	r = amf_read_items(data, data + bytes, items, sizeof(items) / sizeof(items[0])) ? 0 : -1;
-	return rtmp->u.server.onconnect(rtmp->param, r, transaction, &connect);
+	return rtmp->server.onconnect ? rtmp->server.onconnect(rtmp->param, r, transaction, &connect) : -1;
 }
 
 // createStream request parser
@@ -40,7 +40,7 @@ static int rtmp_command_oncreate_stream(struct rtmp_t* rtmp, double transaction,
 	AMF_OBJECT_ITEM_VALUE(items[0], AMF_OBJECT, "command", NULL, 0);
 
 	r = amf_read_items(data, data + bytes, items, sizeof(items) / sizeof(items[0])) ? 0 : -1;
-	return rtmp->u.server.oncreate_stream(rtmp->param, r, transaction);
+	return rtmp->server.oncreate_stream ? rtmp->server.oncreate_stream(rtmp->param, r, transaction) : -1;
 }
 
 // 7.2.2.1. play (p38)
@@ -60,7 +60,7 @@ static int rtmp_command_onplay(struct rtmp_t* rtmp, double transaction, const ui
 	AMF_OBJECT_ITEM_VALUE(items[4], AMF_BOOLEAN, "reset", &reset, 1);
 
 	r = amf_read_items(data, data + bytes, items, sizeof(items) / sizeof(items[0])) ? 0 : -1;
-	return rtmp->u.server.onplay(rtmp->param, r, transaction, stream_name, start, duration, reset);
+	return rtmp->server.onplay ? rtmp->server.onplay(rtmp->param, r, transaction, stream_name, start, duration, reset) : -1;
 }
 
 // 7.2.2.3. deleteStream (p43)
@@ -73,7 +73,7 @@ static int rtmp_command_ondelete_stream(struct rtmp_t* rtmp, double transaction,
 	AMF_OBJECT_ITEM_VALUE(items[1], AMF_NUMBER, "streamId", &stream_id, 8);
 
 	r = amf_read_items(data, data + bytes, items, sizeof(items) / sizeof(items[0])) ? 0 : -1;
-	return rtmp->u.server.ondelete_stream(rtmp->param, r, transaction, stream_id);
+	return rtmp->server.ondelete_stream ? rtmp->server.ondelete_stream(rtmp->param, r, transaction, stream_id) : -1;
 }
 
 // 7.2.2.4. receiveAudio (p44)
@@ -86,7 +86,7 @@ static int rtmp_command_onreceive_audio(struct rtmp_t* rtmp, double transaction,
 	AMF_OBJECT_ITEM_VALUE(items[1], AMF_BOOLEAN, "receiveAudio", &receiveAudio, 1);
 
 	r = amf_read_items(data, data + bytes, items, sizeof(items) / sizeof(items[0])) ? 0 : -1;
-	return rtmp->u.server.onreceive_audio(rtmp->param, r, transaction, receiveAudio);
+	return rtmp->server.onreceive_audio ? rtmp->server.onreceive_audio(rtmp->param, r, transaction, receiveAudio) : -1;
 }
 
 // 7.2.2.5. receiveVideo (p45)
@@ -99,7 +99,7 @@ static int rtmp_command_onreceive_video(struct rtmp_t* rtmp, double transaction,
 	AMF_OBJECT_ITEM_VALUE(items[1], AMF_BOOLEAN, "receiveVideo", &receiveVideo, 1);
 
 	r = amf_read_items(data, data + bytes, items, sizeof(items) / sizeof(items[0])) ? 0 : -1;
-	return rtmp->u.server.onreceive_video(rtmp->param, r, transaction, receiveVideo);
+	return rtmp->server.onreceive_video ? rtmp->server.onreceive_video(rtmp->param, r, transaction, receiveVideo) : -1;
 }
 
 // 7.2.2.6. publish (p45)
@@ -115,7 +115,7 @@ static int rtmp_command_onpublish(struct rtmp_t* rtmp, double transaction, const
 	AMF_OBJECT_ITEM_VALUE(items[2], AMF_STRING, "type", stream_type, sizeof(stream_type));
 
 	r = amf_read_items(data, data + bytes, items, sizeof(items) / sizeof(items[0])) ? 0 : -1;
-	return rtmp->u.server.onpublish(rtmp->param, r, transaction, stream_name, stream_type);
+	return rtmp->server.onpublish ? rtmp->server.onpublish(rtmp->param, r, transaction, stream_name, stream_type) : -1;
 }
 
 // 7.2.2.7. seek (p46)
@@ -128,7 +128,7 @@ static int rtmp_command_onseek(struct rtmp_t* rtmp, double transaction, const ui
 	AMF_OBJECT_ITEM_VALUE(items[1], AMF_NUMBER, "milliSeconds", &milliSeconds, 8);
 
 	r = amf_read_items(data, data + bytes, items, sizeof(items) / sizeof(items[0])) ? 0 : -1;
-	return rtmp->u.server.onseek(rtmp->param, r, transaction, milliSeconds);
+	return rtmp->server.onseek ? rtmp->server.onseek(rtmp->param, r, transaction, milliSeconds) : -1;
 }
 
 // pause request parser
@@ -143,7 +143,7 @@ static int rtmp_command_onpause(struct rtmp_t* rtmp, double transaction, const u
 	AMF_OBJECT_ITEM_VALUE(items[2], AMF_NUMBER, "milliSeconds", &milliSeconds, 8);
 
 	r = amf_read_items(data, data + bytes, items, sizeof(items) / sizeof(items[0])) ? 0 : -1;
-	return rtmp->u.server.onpause(rtmp->param, r, transaction, pause, milliSeconds);
+	return rtmp->server.onpause ? rtmp->server.onpause(rtmp->param, r, transaction, pause, milliSeconds) : -1;
 }
 
 static int rtmp_command_onget_stream_length(struct rtmp_t* rtmp, double transaction, const uint8_t* data, uint32_t bytes)
@@ -155,7 +155,7 @@ static int rtmp_command_onget_stream_length(struct rtmp_t* rtmp, double transact
 	AMF_OBJECT_ITEM_VALUE(items[1], AMF_STRING, "playpath", stream_name, sizeof(stream_name));
 
 	r = amf_read_items(data, data + bytes, items, sizeof(items) / sizeof(items[0])) ? 0 : -1;
-	return rtmp->u.server.onget_stream_length(rtmp->param, r, transaction, stream_name);
+	return rtmp->server.onget_stream_length ? rtmp->server.onget_stream_length(rtmp->param, r, transaction, stream_name) : -1;
 }
 
 /*

librtmp/source/rtmp-server.c

@@ -427,16 +427,16 @@ struct rtmp_server_t* rtmp_server_create(void* param, const struct rtmp_server_h
 	ctx->rtmp.onvideo = rtmp_server_onvideo;
 	ctx->rtmp.onabort = rtmp_server_onabort;
 	ctx->rtmp.onscript = rtmp_server_onscript;
-	ctx->rtmp.u.server.onconnect = rtmp_server_onconnect;
-	ctx->rtmp.u.server.oncreate_stream = rtmp_server_oncreate_stream;
-	ctx->rtmp.u.server.ondelete_stream = rtmp_server_ondelete_stream;
-	ctx->rtmp.u.server.onget_stream_length = rtmp_server_onget_stream_length;
-	ctx->rtmp.u.server.onpublish = rtmp_server_onpublish;
-	ctx->rtmp.u.server.onplay = rtmp_server_onplay;
-	ctx->rtmp.u.server.onpause = rtmp_server_onpause;
-	ctx->rtmp.u.server.onseek = rtmp_server_onseek;
-	ctx->rtmp.u.server.onreceive_audio = rtmp_server_onreceive_audio;
-	ctx->rtmp.u.server.onreceive_video = rtmp_server_onreceive_video;
+	ctx->rtmp.server.onconnect = rtmp_server_onconnect;
+	ctx->rtmp.server.oncreate_stream = rtmp_server_oncreate_stream;
+	ctx->rtmp.server.ondelete_stream = rtmp_server_ondelete_stream;
+	ctx->rtmp.server.onget_stream_length = rtmp_server_onget_stream_length;
+	ctx->rtmp.server.onpublish = rtmp_server_onpublish;
+	ctx->rtmp.server.onplay = rtmp_server_onplay;
+	ctx->rtmp.server.onpause = rtmp_server_onpause;
+	ctx->rtmp.server.onseek = rtmp_server_onseek;
+	ctx->rtmp.server.onreceive_audio = rtmp_server_onreceive_audio;
+	ctx->rtmp.server.onreceive_video = rtmp_server_onreceive_video;
 
 	ctx->rtmp.out_packets[RTMP_CHANNEL_PROTOCOL].header.cid = RTMP_CHANNEL_PROTOCOL;
 	ctx->rtmp.out_packets[RTMP_CHANNEL_INVOKE].header.cid = RTMP_CHANNEL_INVOKE;