rtmppkt: Check for packet size mismatches

Message ID 20161215134614.9DFFC5DACB@aruru.libav.org
State New
Headers show

Commit Message

Janne Grunau Dec. 15, 2016, 1:46 p.m.
Module: libav
Branch: master
Commit: a4fec9a7eab842ea5eea1b1ee98624356cb31422

Author:    Michael Niedermayer <michael@niedermayer.cc>
Committer: Martin Storsjö <martin@martin.st>
Date:      Mon Dec  5 11:14:51 2016 +0100

rtmppkt: Check for packet size mismatches

When receiving fragmented packets, the first packet declares the size,
and the later ones normally are small follow-on packets that don't repeat
the size and the other header fields. But technically, the later fragments
also can have a full header, declaring a different size than the previous
packet.

If the follow-on packet declares a larger size than the initial one, we
could end up writing outside of the allocation.

This fixes out of bounds writes.

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>

---

 libavformat/rtmppkt.c |    8 ++++++++
 1 file changed, 8 insertions(+)

Patch

diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c
index f8c51d0..1cb3078 100644
--- a/libavformat/rtmppkt.c
+++ b/libavformat/rtmppkt.c
@@ -235,6 +235,14 @@  static int rtmp_packet_read_one_chunk(URLContext *h, RTMPPacket *p,
     if (hdr != RTMP_PS_TWELVEBYTES)
         timestamp += prev_pkt[channel_id].timestamp;
 
+    if (prev_pkt[channel_id].read && size != prev_pkt[channel_id].size) {
+        av_log(h, AV_LOG_ERROR, "RTMP packet size mismatch %d != %d\n",
+                                size, prev_pkt[channel_id].size);
+        ff_rtmp_packet_destroy(&prev_pkt[channel_id]);
+        prev_pkt[channel_id].read = 0;
+        return AVERROR_INVALIDDATA;
+    }
+
     if (!prev_pkt[channel_id].read) {
         if ((ret = ff_rtmp_packet_create(p, channel_id, type, timestamp,
                                          size)) < 0)