kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
freebsd-ports/multimedia/mythtv/files/patch-CVE-2017-11665b
Jason E. Hale db032688df Update multimedia/mythtv and related ports to 29.1 [1] 
Convert multimedia/mythtv-frontend to a slave port of multimedia/mythtv
which should make future updates much easier.

Upstream security patches have been added to address known
vulnerabilities in the bundled ffmpeg 3.2.

PR:		225652 (initial patches to update to 29.0) [1]
Submitted by:	<lucylangthorne55@gmail.com> [1]
Differential Revision:	https://reviews.freebsd.org/D14563
2018-03-25 17:09:05 +00:00

111 lines
3.9 KiB
Text
Raw Permalink Blame History

From b375cc8bb74a33a7b38175023ee337b1c378281f Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 28 Jul 2017 14:37:26 +0200
Subject: [PATCH] avformat/rtmppkt: Convert ff_amf_get_field_value() to
bytestream2
Fixes: out of array accesses
Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ffcc82219cef0928bed2d558b19ef6ea35634130)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/rtmppkt.c | 57 +++++++++++++++++++++++++++++++++------------------
1 file changed, 37 insertions(+), 20 deletions(-)
diff --git libavformat/rtmppkt.c libavformat/rtmppkt.c
index 2ea88d09c57..ca7838868e0 100644
--- external/FFmpeg/libavformat/rtmppkt.c
+++ external/FFmpeg/libavformat/rtmppkt.c
@@ -505,53 +505,70 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end)
return bytestream2_tell(&gb);
}
-int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
+static int amf_get_field_value2(GetByteContext *gb,
const uint8_t *name, uint8_t *dst, int dst_size)
{
int namelen = strlen(name);
int len;
- while (*data != AMF_DATA_TYPE_OBJECT && data < data_end) {
- len = ff_amf_tag_size(data, data_end);
- if (len < 0)
- len = data_end - data;
- data += len;
+ while (bytestream2_peek_byte(gb) != AMF_DATA_TYPE_OBJECT && bytestream2_get_bytes_left(gb) > 0) {
+ int ret = amf_tag_skip(gb);
+ if (ret < 0)
+ return -1;
}
- if (data_end - data < 3)
+ if (bytestream2_get_bytes_left(gb) < 3)
return -1;
- data++;
+ bytestream2_get_byte(gb);
+
for (;;) {
- int size = bytestream_get_be16(&data);
+ int size = bytestream2_get_be16(gb);
if (!size)
break;
- if (size < 0 || size >= data_end - data)
+ if (size < 0 || size >= bytestream2_get_bytes_left(gb))
return -1;
- data += size;
- if (size == namelen && !memcmp(data-size, name, namelen)) {
- switch (*data++) {
+ bytestream2_skip(gb, size);
+ if (size == namelen && !memcmp(gb->buffer-size, name, namelen)) {
+ switch (bytestream2_get_byte(gb)) {
case AMF_DATA_TYPE_NUMBER:
- snprintf(dst, dst_size, "%g", av_int2double(AV_RB64(data)));
+ snprintf(dst, dst_size, "%g", av_int2double(bytestream2_get_be64(gb)));
break;
case AMF_DATA_TYPE_BOOL:
- snprintf(dst, dst_size, "%s", *data ? "true" : "false");
+ snprintf(dst, dst_size, "%s", bytestream2_get_byte(gb) ? "true" : "false");
break;
case AMF_DATA_TYPE_STRING:
- len = bytestream_get_be16(&data);
- av_strlcpy(dst, data, FFMIN(len+1, dst_size));
+ len = bytestream2_get_be16(gb);
+ if (dst_size < 1)
+ return -1;
+ if (dst_size < len + 1)
+ len = dst_size - 1;
+ bytestream2_get_buffer(gb, dst, len);
+ dst[len] = 0;
break;
default:
return -1;
}
return 0;
}
- len = ff_amf_tag_size(data, data_end);
- if (len < 0 || len >= data_end - data)
+ len = amf_tag_skip(gb);
+ if (len < 0 || bytestream2_get_bytes_left(gb) <= 0)
return -1;
- data += len;
}
return -1;
}
+int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
+ const uint8_t *name, uint8_t *dst, int dst_size)
+{
+ GetByteContext gb;
+
+ if (data >= data_end)
+ return -1;
+
+ bytestream2_init(&gb, data, data_end - data);
+
+ return amf_get_field_value2(&gb, name, dst, dst_size);
+}
+
static const char* rtmp_packet_type(int type)
{
switch (type) {
Reference in a new issue View git blame Copy permalink