rtmppkt: Check for packet size mismatches

Message ID 20161215132221.41051-1-martin@martin.st
State Committed
Commit a1d1bc1ba37e6d58b58982a94a1cdf7b6819d8a7
Headers show

Commit Message

Martin Storsjö Dec. 15, 2016, 1:22 p.m.
From: Michael Niedermayer <michael@niedermayer.cc>

When receiving fragmented packets, the first packet declares the size,
and the later ones normally are small follow-on packets that don't repeat
the size and the other header fields. But technically, the later fragments
also can have a full header, declaring a different size than the previous
packet.

If the follow-on packet declares a larger size than the initial one, we
could end up writing outside of the allocation.

This fixes out of bounds writes.

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>

CC: libav-stable@libav.org
---
Now with error return and improved commit message.
---
 libavformat/rtmppkt.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Luca Barbato Dec. 15, 2016, 1:28 p.m. | #1
On 15/12/2016 14:22, Martin Storsjö wrote:
> From: Michael Niedermayer <michael@niedermayer.cc>
> 
> When receiving fragmented packets, the first packet declares the size,
> and the later ones normally are small follow-on packets that don't repeat
> the size and the other header fields. But technically, the later fragments
> also can have a full header, declaring a different size than the previous
> packet.
> 
> If the follow-on packet declares a larger size than the initial one, we
> could end up writing outside of the allocation.
> 
> This fixes out of bounds writes.
> 
> Found-by: Paul Cher <paulcher@icloud.com>
> Reviewed-by: Paul Cher <paulcher@icloud.com>
> 
> CC: libav-stable@libav.org
> ---
> Now with error return and improved commit message.
> ---
>  libavformat/rtmppkt.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 

Fine for me :)

Patch

diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c
index f8c51d0..1cb3078 100644
--- a/libavformat/rtmppkt.c
+++ b/libavformat/rtmppkt.c
@@ -235,6 +235,14 @@  static int rtmp_packet_read_one_chunk(URLContext *h, RTMPPacket *p,
     if (hdr != RTMP_PS_TWELVEBYTES)
         timestamp += prev_pkt[channel_id].timestamp;
 
+    if (prev_pkt[channel_id].read && size != prev_pkt[channel_id].size) {
+        av_log(h, AV_LOG_ERROR, "RTMP packet size mismatch %d != %d\n",
+                                size, prev_pkt[channel_id].size);
+        ff_rtmp_packet_destroy(&prev_pkt[channel_id]);
+        prev_pkt[channel_id].read = 0;
+        return AVERROR_INVALIDDATA;
+    }
+
     if (!prev_pkt[channel_id].read) {
         if ((ret = ff_rtmp_packet_create(p, channel_id, type, timestamp,
                                          size)) < 0)