rtmppkt: Check for packet size mismatches

diff mbox

Message ID	20161215132221.41051-1-martin@martin.st
State	Committed
Commit	a1d1bc1ba37e6d58b58982a94a1cdf7b6819d8a7
Headers	show Return-Path: <libav-devel-bounces@libav.org> From: =?utf-8?q?Martin_Storsj=C3=B6?= <martin@martin.st> To: libav-devel@libav.org Date: Thu, 15 Dec 2016 15:22:21 +0200 Message-Id: <20161215132221.41051-1-martin@martin.st> In-Reply-To: <b84bd669-8ae2-66ad-abeb-25789c5d8e16@gentoo.org> References: <b84bd669-8ae2-66ad-abeb-25789c5d8e16@gentoo.org> Cc: libav-stable@libav.org Subject: [libav-devel] [PATCH] rtmppkt: Check for packet size mismatches Precedence: list Reply-To: libav development <libav-devel@libav.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: libav-devel-bounces@libav.org Sender: "libav-devel" <libav-devel-bounces@libav.org>

Message ID

20161215132221.41051-1-martin@martin.st

State

Committed

Commit

a1d1bc1ba37e6d58b58982a94a1cdf7b6819d8a7

Headers

show

Return-Path: <libav-devel-bounces@libav.org>
X-Original-To: patchwork@jannau.net
Delivered-To: patchwork@jannau.net
Received: from oboro.libav.org (oboro.libav.org [5.148.163.139])
	by soltyk.jannau.net (Postfix) with ESMTP id 073803E00F0;
	Thu, 15 Dec 2016 14:22:28 +0100 (CET)
Received: from oboro.libav.org (localhost [127.0.0.1])
	by oboro.libav.org (Postfix) with ESMTP id 318D25DE43;
	Thu, 15 Dec 2016 14:22:27 +0100 (CET)
X-Original-To: libav-devel@libav.org
Delivered-To: libav-devel@libav.org
Received: from localhost (localhost [127.0.0.1])
	by oboro.libav.org (Postfix) with ESMTP id 917EA5DE3D
	for <libav-devel@libav.org>; Thu, 15 Dec 2016 14:22:26 +0100 (CET)
Received: from oboro.libav.org ([127.0.0.1])
	by localhost (oboro.libav.org [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id ZaPxvBpitM4n for <libav-devel@libav.org>;
	Thu, 15 Dec 2016 14:22:24 +0100 (CET)
Received: from mail-lf0-x241.google.com (mail-lf0-x241.google.com
	[IPv6:2a00:1450:4010:c07::241])
	by oboro.libav.org (Postfix) with ESMTPS id 5353C5DE43
	for <libav-devel@libav.org>; Thu, 15 Dec 2016 14:22:24 +0100 (CET)
Received: by mail-lf0-x241.google.com with SMTP id y21so1266891lfa.0
	for <libav-devel@libav.org>; Thu, 15 Dec 2016 05:22:24 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=zyUJbP4/RxHz91JLo2e9xUXTzQ5F0OmpXcvs7vo8Xys=;
	b=UDjjbAlochbz5GBT3/GJyi08N96JoE3Jm/mpSxMlTHFxwVBs1mlpjgfzvo07L8ChTj
	psGS8AqJeKrhdfJIfQmW/jMXtAG6Fur6fdkTyqTA7EW1AUTPg13PyBVWvYdaMmlzcNt+
	BTZngCaJZgtUN5XXOUcf9UlH4PkLDAZex0n4BJ4pFZ+VlBPalSozqiy6MoBKsOkaj+Uh
	AB0wsIctSjevcBtJ+4aq+KCNlNEilkAWlvTmNE5Wpw8CnzpAICoLYbg4e5n1ss00XDt2
	wErhxoLRgNCoanBHeAURzVDYcV+TyTdLnfjcp3Nkz6N2sNDtrO4UbgALbmyW6b1loNRk
	EuAA==
X-Gm-Message-State: AKaTC00gnKuqwUos5IfNJmQ1uWPGURYgGkvTD0YgJAAjLVjfkqelLHIKTkb14Ih+Zf6YTg==
X-Received: by 10.25.201.78 with SMTP id z75mr451664lff.33.1481808143669;
	Thu, 15 Dec 2016 05:22:23 -0800 (PST)
Received: from localhost ([2001:470:28:852:e940:6b8d:702c:d891])
	by smtp.gmail.com with ESMTPSA id 1sm453800ljo.16.2016.12.15.05.22.22
	(version=TLS1 cipher=AES128-SHA bits=128/128);
	Thu, 15 Dec 2016 05:22:22 -0800 (PST)
From: =?utf-8?q?Martin_Storsj=C3=B6?= <martin@martin.st>
To: libav-devel@libav.org
Date: Thu, 15 Dec 2016 15:22:21 +0200
Message-Id: <20161215132221.41051-1-martin@martin.st>
X-Mailer: git-send-email 2.10.1 (Apple Git-78)
In-Reply-To: <b84bd669-8ae2-66ad-abeb-25789c5d8e16@gentoo.org>
References: <b84bd669-8ae2-66ad-abeb-25789c5d8e16@gentoo.org>
Cc: libav-stable@libav.org
Subject: [libav-devel] [PATCH] rtmppkt: Check for packet size mismatches
X-BeenThere: libav-devel@libav.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: libav development <libav-devel@libav.org>
List-Id: libav development <libav-devel.libav.org>
List-Unsubscribe: <https://lists.libav.org/mailman/options/libav-devel>,
	<mailto:libav-devel-request@libav.org?subject=unsubscribe>
List-Archive: <http://lists.libav.org/pipermail/libav-devel/>
List-Post: <mailto:libav-devel@libav.org>
List-Help: <mailto:libav-devel-request@libav.org?subject=help>
List-Subscribe: <https://lists.libav.org/mailman/listinfo/libav-devel>,
	<mailto:libav-devel-request@libav.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: libav-devel-bounces@libav.org
Sender: "libav-devel" <libav-devel-bounces@libav.org>

Commit Message

Martin Storsjö Dec. 15, 2016, 1:22 p.m.

From: Michael Niedermayer <michael@niedermayer.cc>

When receiving fragmented packets, the first packet declares the size,
and the later ones normally are small follow-on packets that don't repeat
the size and the other header fields. But technically, the later fragments
also can have a full header, declaring a different size than the previous
packet.

If the follow-on packet declares a larger size than the initial one, we
could end up writing outside of the allocation.

This fixes out of bounds writes.

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>

CC: libav-stable@libav.org
---
Now with error return and improved commit message.
---
 libavformat/rtmppkt.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Luca Barbato Dec. 15, 2016, 1:28 p.m. | #1

On 15/12/2016 14:22, Martin Storsjö wrote:
> From: Michael Niedermayer <michael@niedermayer.cc>
> 
> When receiving fragmented packets, the first packet declares the size,
> and the later ones normally are small follow-on packets that don't repeat
> the size and the other header fields. But technically, the later fragments
> also can have a full header, declaring a different size than the previous
> packet.
> 
> If the follow-on packet declares a larger size than the initial one, we
> could end up writing outside of the allocation.
> 
> This fixes out of bounds writes.
> 
> Found-by: Paul Cher <paulcher@icloud.com>
> Reviewed-by: Paul Cher <paulcher@icloud.com>
> 
> CC: libav-stable@libav.org
> ---
> Now with error return and improved commit message.
> ---
>  libavformat/rtmppkt.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 

Fine for me :)

Patch

diff mbox

diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c
index f8c51d0..1cb3078 100644
--- a/libavformat/rtmppkt.c
+++ b/libavformat/rtmppkt.c
@@ -235,6 +235,14 @@  static int rtmp_packet_read_one_chunk(URLContext *h, RTMPPacket *p,
     if (hdr != RTMP_PS_TWELVEBYTES)
         timestamp += prev_pkt[channel_id].timestamp;
 
+    if (prev_pkt[channel_id].read && size != prev_pkt[channel_id].size) {
+        av_log(h, AV_LOG_ERROR, "RTMP packet size mismatch %d != %d\n",
+                                size, prev_pkt[channel_id].size);
+        ff_rtmp_packet_destroy(&prev_pkt[channel_id]);
+        prev_pkt[channel_id].read = 0;
+        return AVERROR_INVALIDDATA;
+    }
+
     if (!prev_pkt[channel_id].read) {
         if ((ret = ff_rtmp_packet_create(p, channel_id, type, timestamp,
                                          size)) < 0)