Created
November 8, 2011 17:27
-
-
Save j0sh/1348449 to your computer and use it in GitHub Desktop.
sanity checks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 94eee34601fdf06298b3306b1102662645a53e6c Mon Sep 17 00:00:00 2001 | |
From: Josh Allmann <joshua.allmann@gmail.com> | |
Date: Tue, 8 Nov 2011 09:26:08 -0800 | |
Subject: [PATCH 1/3] -- Check for valid input to ProcessInvokeDeleteStream. | |
--- | |
.../protocols/rtmp/basertmpappprotocolhandler.cpp | 4 ++++ | |
1 files changed, 4 insertions(+), 0 deletions(-) | |
diff --git a/sources/thelib/src/protocols/rtmp/basertmpappprotocolhandler.cpp b/sources/thelib/src/protocols/rtmp/basertmpappprotocolhandler.cpp | |
index 58a8de0..3cadfd1 100644 | |
--- a/sources/thelib/src/protocols/rtmp/basertmpappprotocolhandler.cpp | |
+++ b/sources/thelib/src/protocols/rtmp/basertmpappprotocolhandler.cpp | |
@@ -936,6 +936,10 @@ bool BaseRTMPAppProtocolHandler::ProcessInvokeReleaseStream(BaseRTMPProtocol *pF | |
bool BaseRTMPAppProtocolHandler::ProcessInvokeDeleteStream(BaseRTMPProtocol *pFrom, | |
Variant & request) { | |
+ if ((VariantType)M_INVOKE_PARAM(request, 1) != V_DOUBLE) { | |
+ FATAL("Invalid stream ID: %s",STR(M_INVOKE_PARAM(request, 1).ToString())); | |
+ return false; | |
+ } | |
return pFrom->CloseStream((uint32_t) M_INVOKE_PARAM(request, 1), false); | |
} | |
-- | |
1.7.5.4 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 77e7df1fc0e47267077f7bdbc86035d27f4a5ec5 Mon Sep 17 00:00:00 2001 | |
From: Josh Allmann <joshua.allmann@gmail.com> | |
Date: Thu, 10 Nov 2011 01:47:26 -0800 | |
Subject: [PATCH 2/3] -- Avoid overflows when indexing channels. | |
--- | |
.../thelib/src/protocols/rtmp/basertmpprotocol.cpp | 8 ++++++++ | |
1 files changed, 8 insertions(+), 0 deletions(-) | |
diff --git a/sources/thelib/src/protocols/rtmp/basertmpprotocol.cpp b/sources/thelib/src/protocols/rtmp/basertmpprotocol.cpp | |
index 7939999..d860889 100644 | |
--- a/sources/thelib/src/protocols/rtmp/basertmpprotocol.cpp | |
+++ b/sources/thelib/src/protocols/rtmp/basertmpprotocol.cpp | |
@@ -586,6 +586,10 @@ bool BaseRTMPProtocol::ProcessBytes(IOBuffer &buffer) { | |
return true; | |
} | |
_selectedChannel = 64 + GETIBPOINTER(buffer)[1]; | |
+ if (_selectedChannel >= MAX_CHANNELS_COUNT) { | |
+ FATAL("Selected channel exceeds maximum allowed"); | |
+ return false; | |
+ } | |
_channels[_selectedChannel].lastInHeaderType = GETIBPOINTER(buffer)[0] >> 6; | |
buffer.Ignore(2); | |
availableBytesCount -= 2; | |
@@ -615,6 +619,10 @@ bool BaseRTMPProtocol::ProcessBytes(IOBuffer &buffer) { | |
} | |
} | |
+ if (_selectedChannel >= MAX_CHANNELS_COUNT) { | |
+ FATAL("Selected channel exceeds maximum allowed"); | |
+ return false; | |
+ } | |
Channel &channel = _channels[_selectedChannel]; | |
Header &header = channel.lastInHeader; | |
-- | |
1.7.5.4 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 50e42f7d91507ea9cd2c18714d5db9c8fa0cdbd8 Mon Sep 17 00:00:00 2001 | |
From: Josh Allmann <joshua.allmann@gmail.com> | |
Date: Thu, 10 Nov 2011 01:49:09 -0800 | |
Subject: [PATCH 3/3] -- Sanity check on buffer length for control messages. | |
--- | |
.../src/protocols/rtmp/rtmpprotocolserializer.cpp | 7 +++++++ | |
1 files changed, 7 insertions(+), 0 deletions(-) | |
diff --git a/sources/thelib/src/protocols/rtmp/rtmpprotocolserializer.cpp b/sources/thelib/src/protocols/rtmp/rtmpprotocolserializer.cpp | |
index 043efa6..e4ea24f 100644 | |
--- a/sources/thelib/src/protocols/rtmp/rtmpprotocolserializer.cpp | |
+++ b/sources/thelib/src/protocols/rtmp/rtmpprotocolserializer.cpp | |
@@ -534,6 +534,7 @@ bool RTMPProtocolSerializer::DeserializeFlexStreamSend(IOBuffer &buffer, Variant | |
bool RTMPProtocolSerializer::DeserializeInvoke(IOBuffer &buffer, Variant &message) { | |
if (message[RM_INVOKE_IS_FLEX]) { | |
+ if (GETAVAILABLEBYTESCOUNT(buffer) < 1) return false; | |
if (!buffer.Ignore(1)) { | |
FATAL("Unable to ignore 1 byte"); | |
return false; | |
@@ -562,6 +563,7 @@ bool RTMPProtocolSerializer::DeserializeInvoke(IOBuffer &buffer, Variant &messag | |
bool RTMPProtocolSerializer::DeserializeAck(IOBuffer &buffer, | |
Variant &message) { | |
+ if (GETAVAILABLEBYTESCOUNT(buffer) < 4) return false; | |
message = (uint32_t) ENTOHLP(GETIBPOINTER(buffer)); //----MARKED-LONG--- | |
return buffer.Ignore(4); | |
} | |
@@ -640,16 +642,19 @@ bool RTMPProtocolSerializer::DeserializeUsrCtrl(IOBuffer &buffer, Variant &messa | |
bool RTMPProtocolSerializer::DeserializeChunkSize(IOBuffer &buffer, | |
Variant &message) { | |
+ if (GETAVAILABLEBYTESCOUNT(buffer) < 4) return false; | |
message = (uint32_t) ENTOHLP(GETIBPOINTER(buffer)); //----MARKED-LONG--- | |
return buffer.Ignore(4); | |
} | |
bool RTMPProtocolSerializer::DeserializeWinAckSize(IOBuffer &buffer, Variant &message) { | |
+ if (GETAVAILABLEBYTESCOUNT(buffer) < 4) return false; | |
message = (uint32_t) ENTOHLP(GETIBPOINTER(buffer)); //----MARKED-LONG--- | |
return buffer.Ignore(4); | |
} | |
bool RTMPProtocolSerializer::DeserializePeerBW(IOBuffer &buffer, Variant &message) { | |
+ if (GETAVAILABLEBYTESCOUNT(buffer) < 5) return false; | |
message[RM_PEERBW_VALUE] = (uint32_t) ENTOHLP(GETIBPOINTER(buffer)); //----MARKED-LONG--- | |
if (!buffer.Ignore(4)) { | |
FATAL("Unable to ignore 4 bytes"); | |
@@ -660,6 +665,7 @@ bool RTMPProtocolSerializer::DeserializePeerBW(IOBuffer &buffer, Variant &messag | |
} | |
bool RTMPProtocolSerializer::DeserializeAbortMessage(IOBuffer &buffer, Variant &message) { | |
+ if (GETAVAILABLEBYTESCOUNT(buffer) < 4) return false; | |
message = (uint32_t) ENTOHLP(GETIBPOINTER(buffer)); //----MARKED-LONG--- | |
if (!buffer.Ignore(4)) { | |
FATAL("Unable to ignore 4 bytes"); | |
@@ -670,6 +676,7 @@ bool RTMPProtocolSerializer::DeserializeAbortMessage(IOBuffer &buffer, Variant & | |
bool RTMPProtocolSerializer::DeserializeFlexSharedObject(IOBuffer &buffer, | |
Variant &message) { | |
+ if (GETAVAILABLEBYTESCOUNT(buffer) < 1) return false; | |
if (GETIBPOINTER(buffer)[0] != 0) { | |
FATAL("Encoding %hhu not supported yet", GETIBPOINTER(buffer)[0]); | |
return false; | |
-- | |
1.7.5.4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment