From patchwork Fri Jul 28 13:47:05 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 4495 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.1.76 with SMTP id 73csp386028vsb; Fri, 28 Jul 2017 06:47:30 -0700 (PDT) X-Received: by 10.223.174.235 with SMTP id y98mr6130036wrc.256.1501249650882; Fri, 28 Jul 2017 06:47:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1501249650; cv=none; d=google.com; s=arc-20160816; b=IGpmSRSSC/BSpGrHpEY+ModXwbwU1orOOC5LLqveRX8o+4YCjrXwCq/wG9ErFMX+US /EXO/ThzEep/1/7d6LnQf0y3qM0WvBdtD4SBe1iqW8FoCaepm+1tXWq3tMcwt9SePiMq dx6e2C91WtY0gps+HjguUbnfEVHgrX0ANROMgeHqby683vfDYWc+SkH8JFkQ/2XvRJBH XSqFpb6yfMAo4oBINvyHKeV5EdtHwcGza2qkuqIg5jEcYnGbpePa8bYKh5YujeRPm+/g 9IKrb3IS29wbMh+PtFo2CWdF6MpTdy92JRzwdTDx9NOIU/42bp9miA6Gf8CEqHQjMiSK Hnhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to:arc-authentication-results; bh=pXfO85ZdmfVe+PPsugWkdzzthFtQ/7xS47sGzvECMis=; b=WJ2lL8shbOXo78oEKCSCC0LutFmYR2sgX0xTXW5cYrJF13f7Z5FfjG+YBxqKmrmFxO M4V+JamRycS/llU3ebCq5RPH+IVTgS6s8xQp9VS6ZoTv3dfA0250FULVnTLQjNTazC+S QILbFDx5db53GNiSaGmZip59wqg1DBVtzQKIGTcVLIpaCA2CIQ992A34DMN0TAWVhkDl MA2RXBQMMZWBMf4ae5GdT6t0Su+knAbFo85OtBnqya2vym+y29KgrMV0LX21x8f0GHWn +p2bKBuj0XOrwbaRp95McFBHlzlw5Dw14gnJal+QWvmlJT0Y+xiXcg6GOp1v/wf11Y8Z Vi4g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id j58si17768199wra.457.2017.07.28.06.47.30; Fri, 28 Jul 2017 06:47:30 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4A405689B7B; Fri, 28 Jul 2017 16:47:21 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-qmta-pe01-1.mx.upcmail.net (vie01a-qmta-pe01-1.mx.upcmail.net [62.179.121.178]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7C26468988C for ; Fri, 28 Jul 2017 16:47:14 +0300 (EEST) Received: from [172.31.218.42] (helo=vie01a-dmta-pe04-3.mx.upcmail.net) by vie01a-pqmta-pe01.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1db5bn-0003HF-DL for ffmpeg-devel@ffmpeg.org; Fri, 28 Jul 2017 15:47:15 +0200 Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01) by vie01a-dmta-pe04.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1db5bh-0002e4-LD for ffmpeg-devel@ffmpeg.org; Fri, 28 Jul 2017 15:47:09 +0200 Received: from localhost ([213.47.41.20]) by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net id qDn71v01L0S5wYM01Dn8QK; Fri, 28 Jul 2017 15:47:08 +0200 X-SourceIP: 213.47.41.20 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 28 Jul 2017 15:47:05 +0200 Message-Id: <20170728134705.20300-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.13.0 In-Reply-To: <20170728134705.20300-1-michael@niedermayer.cc> References: <20170728134705.20300-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 2/2] avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: out of array accesses The new function uses ff_ prefix even though its static to ease future changes toward bytestream2 Found-by: JunDong Xie of Ant-financial Light-Year Security Lab Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 57 +++++++++++++++++++++++++++++++++------------------ 1 file changed, 37 insertions(+), 20 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 752d92a42b..68c688136c 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -497,53 +497,70 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) return bytestream2_tell(&gb); } -int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, +static int ff_amf_get_field_value2(GetByteContext *gb, const uint8_t *name, uint8_t *dst, int dst_size) { int namelen = strlen(name); int len; - while (*data != AMF_DATA_TYPE_OBJECT && data < data_end) { - len = ff_amf_tag_size(data, data_end); - if (len < 0) - len = data_end - data; - data += len; + while (bytestream2_peek_byte(gb) != AMF_DATA_TYPE_OBJECT && bytestream2_get_bytes_left(gb) > 0) { + int ret = ff_amf_tag_skip(gb); + if (ret < 0) + return -1; } - if (data_end - data < 3) + if (bytestream2_get_bytes_left(gb) < 3) return -1; - data++; + bytestream2_get_byte(gb); + for (;;) { - int size = bytestream_get_be16(&data); + int size = bytestream2_get_be16(gb); if (!size) break; - if (size < 0 || size >= data_end - data) + if (size < 0 || size >= bytestream2_get_bytes_left(gb)) return -1; - data += size; - if (size == namelen && !memcmp(data-size, name, namelen)) { - switch (*data++) { + bytestream2_skip(gb, size); + if (size == namelen && !memcmp(gb->buffer-size, name, namelen)) { + switch (bytestream2_get_byte(gb)) { case AMF_DATA_TYPE_NUMBER: - snprintf(dst, dst_size, "%g", av_int2double(AV_RB64(data))); + snprintf(dst, dst_size, "%g", av_int2double(bytestream2_get_be64(gb))); break; case AMF_DATA_TYPE_BOOL: - snprintf(dst, dst_size, "%s", *data ? "true" : "false"); + snprintf(dst, dst_size, "%s", bytestream2_get_byte(gb) ? "true" : "false"); break; case AMF_DATA_TYPE_STRING: - len = bytestream_get_be16(&data); - av_strlcpy(dst, data, FFMIN(len+1, dst_size)); + len = bytestream2_get_be16(gb); + if (dst_size < 1) + return -1; + if (dst_size < len + 1) + len = dst_size - 1; + bytestream2_get_buffer(gb, dst, len); + dst[len] = 0; break; default: return -1; } return 0; } - len = ff_amf_tag_size(data, data_end); - if (len < 0 || len >= data_end - data) + len = ff_amf_tag_skip(gb); + if (len < 0 || bytestream2_get_bytes_left(gb) <= 0) return -1; - data += len; } return -1; } +int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, + const uint8_t *name, uint8_t *dst, int dst_size) +{ + GetByteContext gb; + + if (data >= data_end) + return -1; + + bytestream2_init(&gb, data, data_end - data); + + return ff_amf_get_field_value2(&gb, name, dst, dst_size); +} + static const char* rtmp_packet_type(int type) { switch (type) {