ubeddulla opened a new pull request, #3371: URL: https://github.com/apache/brpc/pull/3371
### What problem does this PR solve? Issue Number: N/A Problem Summary: `AVCDecoderConfigurationRecord::Create` copies the sequence header into a buffer that is not NUL-terminated (`DEFINE_SMALL_ARRAY`), then calls `ParseSPS(buf.data() + 2, sps_length)`. `ParseSPS` takes a `butil::StringPiece`, so the bare `const char*` is turned into one through the implicit `StringPiece(const char*)` constructor, which runs `strlen`. When a publisher sends an AVC sequence header whose SPS body has no zero byte, that `strlen` walks off the end of the copied record and reads out of bounds. The path is reachable from untrusted RTMP video input. ### What is changed and the side effects? Changed: Pass `buf.substr(2, sps_length)` so `ParseSPS` receives an explicitly sized view and no `strlen` runs. It is the same idiom already used a few lines below when pushing into `sps_list`. I also added a regression test that feeds a zero-free SPS body, which trips ASan on the old code and stays clean after the fix. Side effects: - Performance effects: none. - Breaking backward compatibility: none. The reads inside `ParseSPS` were already bounded by `sps_length`, so valid sequence headers parse exactly as before. --- ### Check List: - Please make sure your changes are compilable. - When providing us with a new feature, it is best to add related tests. - Please follow [Contributor Covenant Code of Conduct](https://github.com/apache/brpc/blob/master/CODE_OF_CONDUCT.md). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
