rtmp: fix buffer overflows in ff_amf_tag_contents()
authorXi Wang <xi.wang@gmail.com>
Wed, 23 Jan 2013 02:40:05 +0000 (21:40 -0500)
committerMichael Niedermayer <michaelni@gmx.at>
Sun, 22 Sep 2013 20:34:14 +0000 (22:34 +0200)
commit8c0261d6859d06373593a914bbd300e2eaa414c9
tree4c9559733a1237b0a1aa19de330b03b08c67aaa5
parent4b7036c1d9d16f015ce2f35773b6c4a30ae6488e
rtmp: fix buffer overflows in ff_amf_tag_contents()

A negative `size' will bypass FFMIN().  In the subsequent memcpy() call,
`size' will be considered as a large positive value, leading to a buffer
overflow.

Change the type of `size' to unsigned int to avoid buffer overflow, and
simplify overflow checks accordingly.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4e692374f7962ea358c329de38c380103f8991b6)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavformat/rtmppkt.c