From 5718e3487ba3b26aba341070be0b6b0b4de45ea3 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 8 Aug 2013 19:44:19 +0200 Subject: [PATCH] rtmp: Do not misuse memcmp CC: libav-stable@libav.org --- libavformat/rtmppkt.c | 33 +++++++++++++++++++++++++++++++++ libavformat/rtmppkt.h | 7 +++++++ libavformat/rtmpproto.c | 25 +++++++++++++------------ 3 files changed, 53 insertions(+), 12 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 59bdd6dc06..8f3912272e 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -525,3 +525,36 @@ void ff_rtmp_packet_dump(void *ctx, RTMPPacket *p) av_log(ctx, AV_LOG_DEBUG, "\n"); } } + +int ff_amf_match_string(const uint8_t *data, int size, const char *str) +{ + int len = strlen(str); + int amf_len, type; + + if (size < 1) + return 0; + + type = *data++; + + if (type != AMF_DATA_TYPE_LONG_STRING && + type != AMF_DATA_TYPE_STRING) + return 0; + + if (type == AMF_DATA_TYPE_LONG_STRING) { + if ((size -= 4 + 1) < 0) + return 0; + amf_len = bytestream_get_be32(&data); + } else { + if ((size -= 2 + 1) < 0) + return 0; + amf_len = bytestream_get_be16(&data); + } + + if (amf_len > size) + return 0; + + if (amf_len != len) + return 0; + + return !memcmp(data, str, len); +} diff --git a/libavformat/rtmppkt.h b/libavformat/rtmppkt.h index a45beda76d..ff5d1716df 100644 --- a/libavformat/rtmppkt.h +++ b/libavformat/rtmppkt.h @@ -282,6 +282,13 @@ int ff_amf_read_string(GetByteContext *gbc, uint8_t *str, */ int ff_amf_read_null(GetByteContext *gbc); +/** + * Match AMF string with a NULL-terminated string. + * + * @return 0 if the strings do not match. + */ + +int ff_amf_match_string(const uint8_t *data, int size, const char *str); /** @} */ // AMF funcs diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index a46d26eb74..4de20f2ed9 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -1909,7 +1909,7 @@ static int handle_invoke_result(URLContext *s, RTMPPacket *pkt) return ret; } - if (!memcmp(tracked_method, "connect", 7)) { + if (!strcmp(tracked_method, "connect")) { if (!rt->is_input) { if ((ret = gen_release_stream(s, rt)) < 0) goto fail; @@ -1935,7 +1935,7 @@ static int handle_invoke_result(URLContext *s, RTMPPacket *pkt) goto fail; } } - } else if (!memcmp(tracked_method, "createStream", 12)) { + } else if (!strcmp(tracked_method, "createStream")) { //extract a number from the result if (pkt->data[10] || pkt->data[19] != 5 || pkt->data[20]) { av_log(s, AV_LOG_WARNING, "Unexpected reply on connect()\n"); @@ -1998,23 +1998,23 @@ static int handle_invoke(URLContext *s, RTMPPacket *pkt) int ret = 0; //TODO: check for the messages sent for wrong state? - if (!memcmp(pkt->data, "\002\000\006_error", 9)) { + if (ff_amf_match_string(pkt->data, pkt->size, "_error")) { if ((ret = handle_invoke_error(s, pkt)) < 0) return ret; - } else if (!memcmp(pkt->data, "\002\000\007_result", 10)) { + } else if (ff_amf_match_string(pkt->data, pkt->size, "_result")) { if ((ret = handle_invoke_result(s, pkt)) < 0) return ret; - } else if (!memcmp(pkt->data, "\002\000\010onStatus", 11)) { + } else if (ff_amf_match_string(pkt->data, pkt->size, "onStatus")) { if ((ret = handle_invoke_status(s, pkt)) < 0) return ret; - } else if (!memcmp(pkt->data, "\002\000\010onBWDone", 11)) { + } else if (ff_amf_match_string(pkt->data, pkt->size, "onBWDone")) { if ((ret = gen_check_bw(s, rt)) < 0) return ret; - } else if (!memcmp(pkt->data, "\002\000\015releaseStream", 16) || - !memcmp(pkt->data, "\002\000\011FCPublish", 12) || - !memcmp(pkt->data, "\002\000\007publish", 10) || - !memcmp(pkt->data, "\002\000\010_checkbw", 11) || - !memcmp(pkt->data, "\002\000\014createStream", 15)) { + } else if (ff_amf_match_string(pkt->data, pkt->size, "releaseStream") || + ff_amf_match_string(pkt->data, pkt->size, "FCPublish") || + ff_amf_match_string(pkt->data, pkt->size, "publish") || + ff_amf_match_string(pkt->data, pkt->size, "_checkbw") || + ff_amf_match_string(pkt->data, pkt->size, "createStream")) { if ((ret = send_invoke_response(s, pkt)) < 0) return ret; } @@ -2210,7 +2210,8 @@ static int get_packet(URLContext *s, int for_header) continue; } if (rpkt.type == RTMP_PT_VIDEO || rpkt.type == RTMP_PT_AUDIO || - (rpkt.type == RTMP_PT_NOTIFY && !memcmp("\002\000\012onMetaData", rpkt.data, 13))) { + (rpkt.type == RTMP_PT_NOTIFY && + ff_amf_match_string(rpkt.data, rpkt.size, "onMetaData"))) { ts = rpkt.timestamp; // generate packet header and put data into buffer for FLV demuxer