From 890ce3b334bd3441be476dda3f3ebbf9c18f6db9 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@highlandsun.com>
Date: Sat, 30 Mar 2019 02:46:40 +0000
Subject: [PATCH] Check for valid Content-Length, datestamp overflow

---
 librtmp/hashswf.c | 20 +++++++++++++++-----
 librtmp/rtmp.c    |  6 ++++--
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/librtmp/hashswf.c b/librtmp/hashswf.c
index 9f4e2c0..6a2daf1 100644
--- a/librtmp/hashswf.c
+++ b/librtmp/hashswf.c
@@ -70,6 +70,8 @@ extern TLS_CTX RTMP_TLS_ctx;
 
 #endif /* CRYPTO */
 
+#define DATELEN	64
+
 #define	AGENT	"Mozilla/5.0"
 
 HTTPResult
@@ -82,7 +84,8 @@ HTTP_get(struct HTTP_ctx *http, const char *url, HTTP_read_callback *cb)
 #ifdef CRYPTO
   int ssl = 0;
 #endif
-  int hlen, flen = 0;
+  int hlen;
+  long flen = 0;
   int rc, i;
   int len_known;
   HTTPResult ret = HTTPRES_OK;
@@ -241,14 +244,20 @@ HTTP_get(struct HTTP_ctx *http, const char *url, HTTP_read_callback *cb)
 	if (!strncasecmp
 	    (sb.sb_start, "Content-Length: ", sizeof("Content-Length: ") - 1))
 	{
-	  flen = atoi(sb.sb_start + sizeof("Content-Length: ") - 1);
+	  flen = strtol(sb.sb_start + sizeof("Content-Length: ") - 1, NULL, 10);
+	  if (flen < 0 || ((flen == LONG_MAX || flen == LONG_MIN) && errno == ERANGE))
+	  {
+	    ret = HTTPRES_BAD_REQUEST;
+	    goto leave;
+	  }
 	}
       else
 	if (!strncasecmp
 	    (sb.sb_start, "Last-Modified: ", sizeof("Last-Modified: ") - 1))
 	{
 	  *p2 = '\0';
-	  strcpy(http->date, sb.sb_start + sizeof("Last-Modified: ") - 1);
+	  strncpy(http->date, sb.sb_start + sizeof("Last-Modified: ") - 1, DATELEN-1);
+	  http->date[DATELEN-1] = '\0';
 	}
       p2 += 2;
       sb.sb_size -= p2 - sb.sb_start;
@@ -453,7 +462,7 @@ RTMP_HashSWF(const char *url, unsigned int *size, unsigned char *hash,
 	     int age)
 {
   FILE *f = NULL;
-  char *path, date[64], cctim[64];
+  char *path, date[DATELEN], cctim[DATELEN];
   long pos = 0;
   time_t ctim = -1, cnow;
   int i, got = 0, ret = 0;
@@ -554,7 +563,8 @@ RTMP_HashSWF(const char *url, unsigned int *size, unsigned char *hash,
 	      else if (!strncmp(buf, "date: ", 6))
 		{
 		  buf[strlen(buf) - 1] = '\0';
-		  strncpy(date, buf + 6, sizeof(date));
+		  strncpy(date, buf + 6, sizeof(date)-1);
+		  date[DATELEN-1] = '\0';
 		  got++;
 		}
 	      else if (!strncmp(buf, "ctim: ", 6))
diff --git a/librtmp/rtmp.c b/librtmp/rtmp.c
index a2863b0..4cbb711 100644
--- a/librtmp/rtmp.c
+++ b/librtmp/rtmp.c
@@ -4429,7 +4429,7 @@ static int
 HTTP_read(RTMP *r, int fill)
 {
   char *ptr;
-  int hlen;
+  long hlen;
 
 restart:
   if (fill)
@@ -4455,7 +4455,9 @@ restart:
   }
   if (!ptr)
     return -1;
-  hlen = atoi(ptr+16);
+  hlen = strtol(ptr+16, NULL, 10);
+  if (hlen < 1 || ((hlen == LONG_MIN || hlen == LONG_MAX) && errno == ERANGE))
+    return -1;
   ptr = strstr(ptr+16, "\r\n\r\n");
   if (!ptr)
     return -1;
-- 
2.50.1