| blob | 2959b77efe9da4c51f6ad8da9bb3d2778eecd534 |
1 From 39ec7eda489717d503bc4cbfaa591c93205695b6 Mon Sep 17 00:00:00 2001
2 From: Howard Chu <hyc@highlandsun.com>
3 Date: Mon, 14 Dec 2015 18:31:18 +0000
4 Subject: [PATCH] Fix AMF3_Decode
6 check for input buffer underrun
7 ---
8 librtmp/amf.c | 17 ++++++++++++++---
9 1 file changed, 14 insertions(+), 3 deletions(-)
11 diff --git a/librtmp/amf.c b/librtmp/amf.c
12 index 9261217..d315145 100644
13 --- a/librtmp/amf.c
14 +++ b/librtmp/amf.c
15 @@ -1055,12 +1055,12 @@ AMF3_Decode(AMFObject *obj, const char *pBuffer, int nSize, int bAMFData)
16 else
17 {
18 int32_t classExtRef = (classRef >> 1);
19 - int i;
20 + int i, cdnum;
22 cd.cd_externalizable = (classExtRef & 0x1) == 1;
23 cd.cd_dynamic = ((classExtRef >> 1) & 0x1) == 1;
25 - cd.cd_num = classExtRef >> 2;
26 + cdnum = classExtRef >> 2;
28 /* class name */
30 @@ -1075,7 +1075,7 @@ AMF3_Decode(AMFObject *obj, const char *pBuffer, int nSize, int bAMFData)
31 cd.cd_name.av_val, cd.cd_externalizable, cd.cd_dynamic,
32 cd.cd_num);
34 - for (i = 0; i < cd.cd_num; i++)
35 + for (i = 0; i < cdnum; i++)
36 {
37 AVal memberName;
38 len = AMF3ReadString(pBuffer, &memberName);
39 @@ -1083,6 +1083,13 @@ AMF3_Decode(AMFObject *obj, const char *pBuffer, int nSize, int bAMFData)
40 AMF3CD_AddProp(&cd, &memberName);
41 nSize -= len;
42 pBuffer += len;
43 + if (nSize <=0)
44 + {
45 +invalid:
46 + RTMP_Log(RTMP_LOGDEBUG, "%s, invalid class encoding!",
47 + __FUNCTION__);
48 + return nOriginalSize;
49 + }
50 }
51 }
53 @@ -1123,6 +1130,8 @@ AMF3_Decode(AMFObject *obj, const char *pBuffer, int nSize, int bAMFData)
55 pBuffer += nRes;
56 nSize -= nRes;
57 + if (nSize <=0)
58 + goto invalid;
59 }
60 if (cd.cd_dynamic)
61 {
62 @@ -1135,6 +1144,8 @@ AMF3_Decode(AMFObject *obj, const char *pBuffer, int nSize, int bAMFData)
64 pBuffer += nRes;
65 nSize -= nRes;
66 + if (nSize <=0)
67 + goto invalid;
69 len = prop.p_name.av_len;
70 }
71 --
72 1.9.1