ubeddulla opened a new pull request, #3371:
URL: https://github.com/apache/brpc/pull/3371

   ### What problem does this PR solve?
   
   Issue Number: N/A
   
   Problem Summary:
   
   `AVCDecoderConfigurationRecord::Create` copies the sequence header into a 
buffer that is not NUL-terminated (`DEFINE_SMALL_ARRAY`), then calls 
`ParseSPS(buf.data() + 2, sps_length)`. `ParseSPS` takes a 
`butil::StringPiece`, so the bare `const char*` is turned into one through the 
implicit `StringPiece(const char*)` constructor, which runs `strlen`. When a 
publisher sends an AVC sequence header whose SPS body has no zero byte, that 
`strlen` walks off the end of the copied record and reads out of bounds. The 
path is reachable from untrusted RTMP video input.
   
   ### What is changed and the side effects?
   
   Changed:
   
   Pass `buf.substr(2, sps_length)` so `ParseSPS` receives an explicitly sized 
view and no `strlen` runs. It is the same idiom already used a few lines below 
when pushing into `sps_list`. I also added a regression test that feeds a 
zero-free SPS body, which trips ASan on the old code and stays clean after the 
fix.
   
   Side effects:
   - Performance effects: none.
   
   - Breaking backward compatibility: none. The reads inside `ParseSPS` were 
already bounded by `sps_length`, so valid sequence headers parse exactly as 
before.
   
   ---
   ### Check List:
   - Please make sure your changes are compilable.
   - When providing us with a new feature, it is best to add related tests.
   - Please follow [Contributor Covenant Code of 
Conduct](https://github.com/apache/brpc/blob/master/CODE_OF_CONDUCT.md).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to