sanity checks

0001-Check-for-valid-input-to-ProcessInvokeDeleteStream.patch

From 94eee34601fdf06298b3306b1102662645a53e6c Mon Sep 17 00:00:00 2001
From: Josh Allmann <joshua.allmann@gmail.com>
Date: Tue, 8 Nov 2011 09:26:08 -0800
Subject: [PATCH 1/3] -- Check for valid input to ProcessInvokeDeleteStream.

---
 .../protocols/rtmp/basertmpappprotocolhandler.cpp  |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/sources/thelib/src/protocols/rtmp/basertmpappprotocolhandler.cpp b/sources/thelib/src/protocols/rtmp/basertmpappprotocolhandler.cpp
index 58a8de0..3cadfd1 100644
--- a/sources/thelib/src/protocols/rtmp/basertmpappprotocolhandler.cpp
+++ b/sources/thelib/src/protocols/rtmp/basertmpappprotocolhandler.cpp
@@ -936,6 +936,10 @@ bool BaseRTMPAppProtocolHandler::ProcessInvokeReleaseStream(BaseRTMPProtocol *pF
 
 bool BaseRTMPAppProtocolHandler::ProcessInvokeDeleteStream(BaseRTMPProtocol *pFrom,
 		Variant & request) {
+	if ((VariantType)M_INVOKE_PARAM(request, 1) != V_DOUBLE) {
+		FATAL("Invalid stream ID: %s",STR(M_INVOKE_PARAM(request, 1).ToString()));
+		return false;
+	}
 	return pFrom->CloseStream((uint32_t) M_INVOKE_PARAM(request, 1), false);
 }
 
-- 
1.7.5.4

0002-Avoid-overflows-when-indexing-channels.patch

From 77e7df1fc0e47267077f7bdbc86035d27f4a5ec5 Mon Sep 17 00:00:00 2001
From: Josh Allmann <joshua.allmann@gmail.com>
Date: Thu, 10 Nov 2011 01:47:26 -0800
Subject: [PATCH 2/3] -- Avoid overflows when indexing channels.

---
 .../thelib/src/protocols/rtmp/basertmpprotocol.cpp |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/sources/thelib/src/protocols/rtmp/basertmpprotocol.cpp b/sources/thelib/src/protocols/rtmp/basertmpprotocol.cpp
index 7939999..d860889 100644
--- a/sources/thelib/src/protocols/rtmp/basertmpprotocol.cpp
+++ b/sources/thelib/src/protocols/rtmp/basertmpprotocol.cpp
@@ -586,6 +586,10 @@ bool BaseRTMPProtocol::ProcessBytes(IOBuffer &buffer) {
 							return true;
 						}
 						_selectedChannel = 64 + GETIBPOINTER(buffer)[1];
+						if (_selectedChannel >= MAX_CHANNELS_COUNT) {
+							FATAL("Selected channel exceeds maximum allowed");
+							return false;
+						}
 						_channels[_selectedChannel].lastInHeaderType = GETIBPOINTER(buffer)[0] >> 6;
 						buffer.Ignore(2);
 						availableBytesCount -= 2;
@@ -615,6 +619,10 @@ bool BaseRTMPProtocol::ProcessBytes(IOBuffer &buffer) {
 			}
 		}
 
+		if (_selectedChannel >= MAX_CHANNELS_COUNT) {
+			FATAL("Selected channel exceeds maximum allowed");
+			return false;
+		}
 		Channel &channel = _channels[_selectedChannel];
 		Header &header = channel.lastInHeader;
 
-- 
1.7.5.4

0003-Sanity-check-on-buffer-length-for-control-messages.patch

From 50e42f7d91507ea9cd2c18714d5db9c8fa0cdbd8 Mon Sep 17 00:00:00 2001
From: Josh Allmann <joshua.allmann@gmail.com>
Date: Thu, 10 Nov 2011 01:49:09 -0800
Subject: [PATCH 3/3] -- Sanity check on buffer length for control messages.

---
 .../src/protocols/rtmp/rtmpprotocolserializer.cpp  |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/sources/thelib/src/protocols/rtmp/rtmpprotocolserializer.cpp b/sources/thelib/src/protocols/rtmp/rtmpprotocolserializer.cpp
index 043efa6..e4ea24f 100644
--- a/sources/thelib/src/protocols/rtmp/rtmpprotocolserializer.cpp
+++ b/sources/thelib/src/protocols/rtmp/rtmpprotocolserializer.cpp
@@ -534,6 +534,7 @@ bool RTMPProtocolSerializer::DeserializeFlexStreamSend(IOBuffer &buffer, Variant
 
 bool RTMPProtocolSerializer::DeserializeInvoke(IOBuffer &buffer, Variant &message) {
 	if (message[RM_INVOKE_IS_FLEX]) {
+		if (GETAVAILABLEBYTESCOUNT(buffer) < 1) return false;
 		if (!buffer.Ignore(1)) {
 			FATAL("Unable to ignore 1 byte");
 			return false;
@@ -562,6 +563,7 @@ bool RTMPProtocolSerializer::DeserializeInvoke(IOBuffer &buffer, Variant &messag
 
 bool RTMPProtocolSerializer::DeserializeAck(IOBuffer &buffer,
 		Variant &message) {
+	if (GETAVAILABLEBYTESCOUNT(buffer) < 4) return false;
 	message = (uint32_t) ENTOHLP(GETIBPOINTER(buffer)); //----MARKED-LONG---
 	return buffer.Ignore(4);
 }
@@ -640,16 +642,19 @@ bool RTMPProtocolSerializer::DeserializeUsrCtrl(IOBuffer &buffer, Variant &messa
 
 bool RTMPProtocolSerializer::DeserializeChunkSize(IOBuffer &buffer,
 		Variant &message) {
+	if (GETAVAILABLEBYTESCOUNT(buffer) < 4) return false;
 	message = (uint32_t) ENTOHLP(GETIBPOINTER(buffer)); //----MARKED-LONG---
 	return buffer.Ignore(4);
 }
 
 bool RTMPProtocolSerializer::DeserializeWinAckSize(IOBuffer &buffer, Variant &message) {
+	if (GETAVAILABLEBYTESCOUNT(buffer) < 4) return false;
 	message = (uint32_t) ENTOHLP(GETIBPOINTER(buffer)); //----MARKED-LONG---
 	return buffer.Ignore(4);
 }
 
 bool RTMPProtocolSerializer::DeserializePeerBW(IOBuffer &buffer, Variant &message) {
+	if (GETAVAILABLEBYTESCOUNT(buffer) < 5) return false;
 	message[RM_PEERBW_VALUE] = (uint32_t) ENTOHLP(GETIBPOINTER(buffer)); //----MARKED-LONG---
 	if (!buffer.Ignore(4)) {
 		FATAL("Unable to ignore 4 bytes");
@@ -660,6 +665,7 @@ bool RTMPProtocolSerializer::DeserializePeerBW(IOBuffer &buffer, Variant &messag
 }
 
 bool RTMPProtocolSerializer::DeserializeAbortMessage(IOBuffer &buffer, Variant &message) {
+	if (GETAVAILABLEBYTESCOUNT(buffer) < 4) return false;
 	message = (uint32_t) ENTOHLP(GETIBPOINTER(buffer)); //----MARKED-LONG---
 	if (!buffer.Ignore(4)) {
 		FATAL("Unable to ignore 4 bytes");
@@ -670,6 +676,7 @@ bool RTMPProtocolSerializer::DeserializeAbortMessage(IOBuffer &buffer, Variant &
 
 bool RTMPProtocolSerializer::DeserializeFlexSharedObject(IOBuffer &buffer,
 		Variant &message) {
+	if (GETAVAILABLEBYTESCOUNT(buffer) < 1) return false;
 	if (GETIBPOINTER(buffer)[0] != 0) {
 		FATAL("Encoding %hhu not supported yet", GETIBPOINTER(buffer)[0]);
 		return false;
-- 
1.7.5.4