Fix issue 4/7 from LMX of Qihoo 360 Codesafe Team
authorHoward Chu <hyc@highlandsun.com>
Wed, 23 Dec 2015 18:10:15 +0000 (18:10 +0000)
committerHoward Chu <hyc@highlandsun.com>
Wed, 23 Dec 2015 19:09:27 +0000 (19:09 +0000)
Potential integer overflow in RTMPPacket_Alloc().

Aside: issue 3/7 could not be reproduced.

librtmp/rtmp.c
librtmp/rtmp.h

index d3c4715..057058b 100644 (file)
@@ -186,9 +186,12 @@ RTMPPacket_Reset(RTMPPacket *p)
 }
 
 int
-RTMPPacket_Alloc(RTMPPacket *p, int nSize)
+RTMPPacket_Alloc(RTMPPacket *p, uint32_t nSize)
 {
-  char *ptr = calloc(1, nSize + RTMP_MAX_HEADER_SIZE);
+  char *ptr;
+  if (nSize > SIZE_MAX - RTMP_MAX_HEADER_SIZE)
+    return FALSE;
+  ptr = calloc(1, nSize + RTMP_MAX_HEADER_SIZE);
   if (!ptr)
     return FALSE;
   p->m_body = ptr + RTMP_MAX_HEADER_SIZE;
index 0248913..6d7dd89 100644 (file)
@@ -136,7 +136,7 @@ extern "C"
 
   void RTMPPacket_Reset(RTMPPacket *p);
   void RTMPPacket_Dump(RTMPPacket *p);
-  int RTMPPacket_Alloc(RTMPPacket *p, int nSize);
+  int RTMPPacket_Alloc(RTMPPacket *p, uint32_t nSize);
   void RTMPPacket_Free(RTMPPacket *p);
 
 #define RTMPPacket_IsReady(a)  ((a)->m_nBytesRead == (a)->m_nBodySize)