PR #20796 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20796 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20796.patch
>From 844511d76807d4ad2b248540b20f534bc640540c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Thu, 30 Oct 2025 23:05:57 +0100 Subject: [PATCH 1/2] avformat/rtmpproto_ Check tcurl and flashver length Fixes: out of array accesses Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/rtmpproto.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 4f866eb76c..5de3bebc62 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -2859,6 +2859,12 @@ reconnect: "FMLE/3.0 (compatible; %s)", LIBAVFORMAT_IDENT); } } + if ( strlen(rt->flashver) > FLASHVER_MAX_LENGTH + || strlen(rt->tcurl ) > TCURL_MAX_LENGTH + ) { + ret = AVERROR(EINVAL); + goto fail; + } rt->receive_report_size = 1048576; rt->bytes_read = 0; -- 2.49.1 >From 708ab1bc8ee6e6c28005b3bc219bc7fc0b693b16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Thu, 30 Oct 2025 23:20:41 +0100 Subject: [PATCH 2/2] avformat/rtmpproto: consider command line argument lengths Fixes: out of array access Fixes: zeropath/rtmp-2025-10 Found-by: Joshua Rogers <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/rtmpproto.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 5de3bebc62..b029c57621 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -163,6 +163,13 @@ static int handle_chunk_size(URLContext *s, RTMPPacket *pkt); static int handle_window_ack_size(URLContext *s, RTMPPacket *pkt); static int handle_set_peer_bw(URLContext *s, RTMPPacket *pkt); +static size_t zstrlen(const char *c) +{ + if(c) + return strlen(c); + return 0; +} + static int add_tracked_method(RTMPContext *rt, const char *name, int id) { int err; @@ -327,7 +334,16 @@ static int gen_connect(URLContext *s, RTMPContext *rt) int ret; if ((ret = ff_rtmp_packet_create(&pkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE, - 0, 4096 + APP_MAX_LENGTH)) < 0) + 0, 4096 + APP_MAX_LENGTH + + strlen(rt->auth_params) + strlen(rt->flashver) + + zstrlen(rt->enhanced_codecs)/5*7 + + zstrlen(rt->swfurl) + + zstrlen(rt->swfverify) + + zstrlen(rt->tcurl) + + zstrlen(rt->auth_params) + + zstrlen(rt->pageurl) + + zstrlen(rt->conn)*3 + )) < 0) return ret; p = pkt.data; @@ -1926,7 +1942,9 @@ static int write_status(URLContext *s, RTMPPacket *pkt, if ((ret = ff_rtmp_packet_create(&spkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE, 0, - RTMP_PKTDATA_DEFAULT_SIZE)) < 0) { + RTMP_PKTDATA_DEFAULT_SIZE + + strlen(status) + strlen(description) + + zstrlen(details))) < 0) { av_log(s, AV_LOG_ERROR, "Unable to create response packet\n"); return ret; } -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
