From 6f179470b20ff7839e67ef601a2f4e01bac615d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Oct 2025 23:20:41 +0100 Subject: [PATCH] avformat/rtmpproto: consider command line argument lengths Fixes: out of array access Fixes: zeropath/rtmp-2025-10 Found-by: Joshua Rogers Reviewed-by: Joshua Rogers Signed-off-by: Michael Niedermayer (cherry picked from commit 83e0298de217a7108ee703806d6380e554007972) Signed-off-by: Michael Niedermayer --- libavformat/rtmpproto.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 8055a9fbee..8a568271c8 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -163,6 +163,13 @@ static int handle_chunk_size(URLContext *s, RTMPPacket *pkt); static int handle_window_ack_size(URLContext *s, RTMPPacket *pkt); static int handle_set_peer_bw(URLContext *s, RTMPPacket *pkt); +static size_t zstrlen(const char *c) +{ + if(c) + return strlen(c); + return 0; +} + static int add_tracked_method(RTMPContext *rt, const char *name, int id) { int err; @@ -327,7 +334,16 @@ static int gen_connect(URLContext *s, RTMPContext *rt) int ret; if ((ret = ff_rtmp_packet_create(&pkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE, - 0, 4096 + APP_MAX_LENGTH)) < 0) + 0, 4096 + APP_MAX_LENGTH + + strlen(rt->auth_params) + strlen(rt->flashver) + + zstrlen(rt->enhanced_codecs)/5*7 + + zstrlen(rt->swfurl) + + zstrlen(rt->swfverify) + + zstrlen(rt->tcurl) + + zstrlen(rt->auth_params) + + zstrlen(rt->pageurl) + + zstrlen(rt->conn)*3 + )) < 0) return ret; p = pkt.data; @@ -1900,7 +1916,9 @@ static int write_status(URLContext *s, RTMPPacket *pkt, if ((ret = ff_rtmp_packet_create(&spkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE, 0, - RTMP_PKTDATA_DEFAULT_SIZE)) < 0) { + RTMP_PKTDATA_DEFAULT_SIZE + + strlen(status) + strlen(description) + + zstrlen(details))) < 0) { av_log(s, AV_LOG_ERROR, "Unable to create response packet\n"); return ret; }