From: Howard Chu <hyc@highlandsun.com>
Date: Wed, 23 Dec 2015 18:10:15 +0000 (+0000)
Subject: Fix issue 4/7 from LMX of Qihoo 360 Codesafe Team
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7c68ad18f4296911114470bb4caaa673d55c8447;p=rtmpdump

Fix issue 4/7 from LMX of Qihoo 360 Codesafe Team

Potential integer overflow in RTMPPacket_Alloc().

Aside: issue 3/7 could not be reproduced.
---

diff --git a/librtmp/rtmp.c b/librtmp/rtmp.c
index d3c4715..057058b 100644
--- a/librtmp/rtmp.c
+++ b/librtmp/rtmp.c
@@ -186,9 +186,12 @@ RTMPPacket_Reset(RTMPPacket *p)
 }
 
 int
-RTMPPacket_Alloc(RTMPPacket *p, int nSize)
+RTMPPacket_Alloc(RTMPPacket *p, uint32_t nSize)
 {
-  char *ptr = calloc(1, nSize + RTMP_MAX_HEADER_SIZE);
+  char *ptr;
+  if (nSize > SIZE_MAX - RTMP_MAX_HEADER_SIZE)
+    return FALSE;
+  ptr = calloc(1, nSize + RTMP_MAX_HEADER_SIZE);
   if (!ptr)
     return FALSE;
   p->m_body = ptr + RTMP_MAX_HEADER_SIZE;
diff --git a/librtmp/rtmp.h b/librtmp/rtmp.h
index 0248913..6d7dd89 100644
--- a/librtmp/rtmp.h
+++ b/librtmp/rtmp.h
@@ -136,7 +136,7 @@ extern "C"
 
   void RTMPPacket_Reset(RTMPPacket *p);
   void RTMPPacket_Dump(RTMPPacket *p);
-  int RTMPPacket_Alloc(RTMPPacket *p, int nSize);
+  int RTMPPacket_Alloc(RTMPPacket *p, uint32_t nSize);
   void RTMPPacket_Free(RTMPPacket *p);
 
 #define RTMPPacket_IsReady(a)	((a)->m_nBytesRead == (a)->m_nBodySize)