From: Martin Storsjö Date: Thu, 8 May 2014 12:12:23 +0000 (+0300) Subject: rtmpproto: Check the buffer sizes when copying app/playpath strings X-Git-Tag: v11_alpha1~522 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=0bacfa8d37710b904897e7cbeb8d6f96fbf75e2e;p=platform%2Fupstream%2Flibav.git rtmpproto: Check the buffer sizes when copying app/playpath strings As pointed out by Reimar Döffinger. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö --- diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 2962737..0cc702a 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -2484,12 +2484,13 @@ reconnect: if (qmark && strstr(qmark, "slist=")) { char* amp; // After slist we have the playpath, before the params, the app - av_strlcpy(rt->app, path + 1, qmark - path); + av_strlcpy(rt->app, path + 1, FFMIN(qmark - path, APP_MAX_LENGTH)); fname = strstr(path, "slist=") + 6; // Strip any further query parameters from fname amp = strchr(fname, '&'); if (amp) { - av_strlcpy(fname_buffer, fname, amp - fname + 1); + av_strlcpy(fname_buffer, fname, FFMIN(amp - fname + 1, + sizeof(fname_buffer))); fname = fname_buffer; } } else if (!strncmp(path, "/ondemand/", 10)) { @@ -2507,10 +2508,10 @@ reconnect: fname = strchr(p + 1, '/'); if (!fname || (c && c < fname)) { fname = p + 1; - av_strlcpy(rt->app, path + 1, p - path); + av_strlcpy(rt->app, path + 1, FFMIN(p - path, APP_MAX_LENGTH)); } else { fname++; - av_strlcpy(rt->app, path + 1, fname - path - 1); + av_strlcpy(rt->app, path + 1, FFMIN(fname - path - 1, APP_MAX_LENGTH)); } } }