Fix issue 4/7 from LMX of Qihoo 360 Codesafe Team

author Howard Chu <hyc@highlandsun.com>

Wed, 23 Dec 2015 18:10:15 +0000 (18:10 +0000)

committer Howard Chu <hyc@highlandsun.com>

Wed, 23 Dec 2015 19:09:27 +0000 (19:09 +0000)
author Howard Chu <hyc@highlandsun.com>
Wed, 23 Dec 2015 18:10:15 +0000 (18:10 +0000)
committer Howard Chu <hyc@highlandsun.com>
Wed, 23 Dec 2015 19:09:27 +0000 (19:09 +0000)
diff --git a/librtmp/rtmp.c b/librtmp/rtmp.c

index d3c471587f33cc882e5be188870c60b308e03eac..057058b9f96bbab60fcc1e974b0570b6c2fef476 100644 (file)
--- a/librtmp/rtmp.c
+++ b/librtmp/rtmp.c
@@ -186,9 +186,12 @@ RTMPPacket_Reset(RTMPPacket *p)
  }
  
  int
-RTMPPacket_Alloc(RTMPPacket *p, int nSize)
+RTMPPacket_Alloc(RTMPPacket *p, uint32_t nSize)
  {
-  char *ptr = calloc(1, nSize + RTMP_MAX_HEADER_SIZE);
+  char *ptr;
+  if (nSize > SIZE_MAX - RTMP_MAX_HEADER_SIZE)
+    return FALSE;
+  ptr = calloc(1, nSize + RTMP_MAX_HEADER_SIZE);
    if (!ptr)
      return FALSE;
    p->m_body = ptr + RTMP_MAX_HEADER_SIZE;
diff --git a/librtmp/rtmp.h b/librtmp/rtmp.h

index 0248913848a1d066cb825ab89c5ff63e003a71e7..6d7dd896bf80ada43e9339fa68b9fec47ed91ec9 100644 (file)
--- a/librtmp/rtmp.h
+++ b/librtmp/rtmp.h
@@ -136,7 +136,7 @@ extern "C"
  
    void RTMPPacket_Reset(RTMPPacket *p);
    void RTMPPacket_Dump(RTMPPacket *p);
-  int RTMPPacket_Alloc(RTMPPacket *p, int nSize);
+  int RTMPPacket_Alloc(RTMPPacket *p, uint32_t nSize);
    void RTMPPacket_Free(RTMPPacket *p);
  
  #define RTMPPacket_IsReady(a)  ((a)->m_nBytesRead == (a)->m_nBodySize)
author	Howard Chu <hyc@highlandsun.com>
	Wed, 23 Dec 2015 18:10:15 +0000 (18:10 +0000)
committer	Howard Chu <hyc@highlandsun.com>
	Wed, 23 Dec 2015 19:09:27 +0000 (19:09 +0000)
librtmp/rtmp.c		patch \| blob \| history
librtmp/rtmp.h		patch \| blob \| history