From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id AB8DE4CBF9 for ; Thu, 30 Oct 2025 23:52:56 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'gV8Iwqb4YYRA6V2oFUSpxw2uuzdjFzLKbtrA/G5N4Jc=', expected b'li0RezxEr4dQOIuABAVly3xI9r5WMIGX9MyuCLHF418=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1761868350; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=gV8Iwqb4YYRA6V2oFUSpxw2uuzdjFzLKbtrA/G5N4Jc=; b=0eULUDfYYQXt9FK1oRu+xq71Rbp50L7i79tfPAGFbCY3JjvBnBddREdJ8tUiC+RpnQwCm kP0OliPnGxlY0ygVqmEK4sAcIuJnGzcDpsbd+gW3CMHOnESv+9WRc8rM7ujPN2eBNPctKHb NIPYTLd38JDa+dQvzG796Yvx6gtvcAxpWyKkQGyqWo9PJCRd6HyNzyAkCI/tdA10Da3gA69 Stx7yXeNUQxOjTBhtHvZciQGZ961a143i1H4igd8RoxYVSk+a2+5ddV/LNL+g7b65dXaKIV bKQ/2OdYi3e8l1tXE1TaFgnhpwowxh/3OP33u1oDYU4Ojsr0AZkux1LxW8Bw== Received: from [172.19.0.2] (unknown [172.19.0.2]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id B073E68F89D; Fri, 31 Oct 2025 01:52:30 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1761868326; b=Q+iv3dTa4r9xgjravTMwVKpptmP+9dkRflojcMfYa4eIHZsFTt2AxrLcNjLtG/MfdO1UX GxYW/ZIVlOUTJQRVvqyBF2vyh/psoCkoAadcGMPqT/AfmbHx6CqVmgZw6is6sgE8vuIrQ2+ iQvnFJ9u4Fqxlx4labJn2aaWfLFl5BV+bn35IQYWu/JLdTEMBV+br4lRgR2Bv7bZYXg5HR6 /yNlWUv1IL9UvBUMMyoDIyQCBM2IGDlwScFw0ooR/ILkzI8vYbyuLPKHbYLJfPYpe8BkV0U XpMrqlVl8jE9oCmibyQNCiooa7k1Mkgtd7HfO4ecHmF4PWFn81c5ICdafsiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1761868326; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=6Ntk6m1sAuOmeRA6i1eMhB8818ovOxoLYJPquidEqNU=; b=uIoTan/k4fQwYDxOiO4rqV33a9AEMXjjFAWg41OxAul/pGaLie4UOxbjBSC1cVUWKYOYE m1siGCsrIzsy2rbtukbsVAFo2wUao0iQgPGFxSHWK9j3MzPPIuW1Yuycafl7XcnRjO1x7OX L3uqlCA2SZmebQQemuMHg0O7M3H+1O4AF03LVRmaT0lCILhAle7xwzYdKT5dnTv77Ru/LEz Msa3roKFgbgn9XKyr7rX1wDfC4dbUKYNrSpg2ius7zTuxZHrm7A4epqBwvAx9l2+Src04Ih ECGQ8yOc2Eb89q+GgDz8c6YsrNrsyDl/8esvNTiqwLIKreQqgH/fc18dIRug== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1761868318; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=li0RezxEr4dQOIuABAVly3xI9r5WMIGX9MyuCLHF418=; b=Jkjwk4tmHXfAWoYOYrqNh+jhpdcESzBrnx/4nRazFLWzcVzTR71ai0ggsexhGtsj6fLC6 XtDEiG4gEv5+b2hDb0x6SnJGgNzjtUPiEyXM3YBriUlTPpbVr0sigbwtYSarAQFlZhc1FaR F5dXnByzyJqjNLJ/REmunYKm5FJKp1jyNw6XwWijLnP6Zv6fyj78kh73KyMhgoJDxVqDf/m em6FbG0RtxPhZgTRoo6Bl7spALl18mA6XRi3KQnu1vOyJLkb0z8bVTSJYr7lx2m5ECCf7pO YG/vwHUS1O7wjZ9tSU0r1h1dIK7XWeLjJfoFUbWax0ukV2eYWMeYyJh4pXiw== Received: from 02c22a36bd31 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id EE82968F834 for ; Fri, 31 Oct 2025 01:51:56 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Thu, 30 Oct 2025 23:51:56 -0000 Message-ID: <176186831816.81.13340378576210940055@7d278768979e> Message-ID-Hash: JBB25OIXTSO7DPXRQP57CY6PJE626ZAW X-Message-ID-Hash: JBB25OIXTSO7DPXRQP57CY6PJE626ZAW X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PATCH] avformat/rtmpproto: consider command line argument lengths (PR #20796) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: michaelni via ffmpeg-devel Cc: michaelni Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #20796 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20796 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20796.patch >>From 844511d76807d4ad2b248540b20f534bc640540c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Oct 2025 23:05:57 +0100 Subject: [PATCH 1/2] avformat/rtmpproto_ Check tcurl and flashver length Fixes: out of array accesses Signed-off-by: Michael Niedermayer --- libavformat/rtmpproto.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 4f866eb76c..5de3bebc62 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -2859,6 +2859,12 @@ reconnect: "FMLE/3.0 (compatible; %s)", LIBAVFORMAT_IDENT); } } + if ( strlen(rt->flashver) > FLASHVER_MAX_LENGTH + || strlen(rt->tcurl ) > TCURL_MAX_LENGTH + ) { + ret = AVERROR(EINVAL); + goto fail; + } rt->receive_report_size = 1048576; rt->bytes_read = 0; -- 2.49.1 >>From 708ab1bc8ee6e6c28005b3bc219bc7fc0b693b16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Oct 2025 23:20:41 +0100 Subject: [PATCH 2/2] avformat/rtmpproto: consider command line argument lengths Fixes: out of array access Fixes: zeropath/rtmp-2025-10 Found-by: Joshua Rogers Signed-off-by: Michael Niedermayer --- libavformat/rtmpproto.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 5de3bebc62..b029c57621 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -163,6 +163,13 @@ static int handle_chunk_size(URLContext *s, RTMPPacket *pkt); static int handle_window_ack_size(URLContext *s, RTMPPacket *pkt); static int handle_set_peer_bw(URLContext *s, RTMPPacket *pkt); +static size_t zstrlen(const char *c) +{ + if(c) + return strlen(c); + return 0; +} + static int add_tracked_method(RTMPContext *rt, const char *name, int id) { int err; @@ -327,7 +334,16 @@ static int gen_connect(URLContext *s, RTMPContext *rt) int ret; if ((ret = ff_rtmp_packet_create(&pkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE, - 0, 4096 + APP_MAX_LENGTH)) < 0) + 0, 4096 + APP_MAX_LENGTH + + strlen(rt->auth_params) + strlen(rt->flashver) + + zstrlen(rt->enhanced_codecs)/5*7 + + zstrlen(rt->swfurl) + + zstrlen(rt->swfverify) + + zstrlen(rt->tcurl) + + zstrlen(rt->auth_params) + + zstrlen(rt->pageurl) + + zstrlen(rt->conn)*3 + )) < 0) return ret; p = pkt.data; @@ -1926,7 +1942,9 @@ static int write_status(URLContext *s, RTMPPacket *pkt, if ((ret = ff_rtmp_packet_create(&spkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE, 0, - RTMP_PKTDATA_DEFAULT_SIZE)) < 0) { + RTMP_PKTDATA_DEFAULT_SIZE + + strlen(status) + strlen(description) + + zstrlen(details))) < 0) { av_log(s, AV_LOG_ERROR, "Unable to create response packet\n"); return ret; } -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org