]> granicus.if.org Git - rtmpdump/commitdiff
Fix issue 6-7/7 from LMX of Qihoo 360 Codesafe Team
authorHoward Chu <hyc@highlandsun.com>
Wed, 23 Dec 2015 18:58:50 +0000 (18:58 +0000)
committerHoward Chu <hyc@highlandsun.com>
Wed, 23 Dec 2015 19:09:27 +0000 (19:09 +0000)
Additional decode input size checks

librtmp/amf.c

index b783d354f500c742040a007ddb51af2f0873be2c..79541447d926fa4d58e19be0c6889dc861b0b5d5 100644 (file)
@@ -519,9 +519,11 @@ AMF3Prop_Decode(AMFObjectProperty *prop, const char *pBuffer, int nSize,
       if (name.av_len <= 0)
        return nRes;
 
+      nSize -= nRes;
+      if (nSize <= 0)
+       return -1;
       prop->p_name = name;
       pBuffer += nRes;
-      nSize -= nRes;
     }
 
   /* decode */
@@ -607,6 +609,8 @@ AMF3Prop_Decode(AMFObjectProperty *prop, const char *pBuffer, int nSize,
          __FUNCTION__, (unsigned char)(*pBuffer), pBuffer);
       return -1;
     }
+  if (nSize < 0)
+    return -1;
 
   return nOriginalSize - nSize;
 }
@@ -1001,9 +1005,17 @@ AMF_DecodeArray(AMFObject *obj, const char *pBuffer, int nSize,
       int nRes;
       nArrayLen--;
 
+      if (nSize <= 0)
+       {
+         bError = TRUE;
+         break;
+       }
       nRes = AMFProp_Decode(&prop, pBuffer, nSize, bDecodeName);
       if (nRes == -1)
-       bError = TRUE;
+       {
+         bError = TRUE;
+         break;
+       }
       else
        {
          nSize -= nRes;
@@ -1195,10 +1207,18 @@ AMF_Decode(AMFObject *obj, const char *pBuffer, int nSize, int bDecodeName)
 
       nRes = AMFProp_Decode(&prop, pBuffer, nSize, bDecodeName);
       if (nRes == -1)
-       bError = TRUE;
+       {
+         bError = TRUE;
+         break;
+       }
       else
        {
          nSize -= nRes;
+         if (nSize < 0)
+           {
+             bError = TRUE;
+             break;
+           }
          pBuffer += nRes;
          AMF_AddProp(obj, &prop);
        }