From 0bacfa8d37710b904897e7cbeb8d6f96fbf75e2e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <martin@martin.st>
Date: Thu, 8 May 2014 15:12:23 +0300
Subject: [PATCH] rtmpproto: Check the buffer sizes when copying app/playpath
 strings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As pointed out by Reimar Döffinger.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
---
 libavformat/rtmpproto.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 2962737ed00..0cc702ad626 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -2484,12 +2484,13 @@ reconnect:
     if (qmark && strstr(qmark, "slist=")) {
         char* amp;
         // After slist we have the playpath, before the params, the app
-        av_strlcpy(rt->app, path + 1, qmark - path);
+        av_strlcpy(rt->app, path + 1, FFMIN(qmark - path, APP_MAX_LENGTH));
         fname = strstr(path, "slist=") + 6;
         // Strip any further query parameters from fname
         amp = strchr(fname, '&');
         if (amp) {
-            av_strlcpy(fname_buffer, fname, amp - fname + 1);
+            av_strlcpy(fname_buffer, fname, FFMIN(amp - fname + 1,
+                                                  sizeof(fname_buffer)));
             fname = fname_buffer;
         }
     } else if (!strncmp(path, "/ondemand/", 10)) {
@@ -2507,10 +2508,10 @@ reconnect:
             fname = strchr(p + 1, '/');
             if (!fname || (c && c < fname)) {
                 fname = p + 1;
-                av_strlcpy(rt->app, path + 1, p - path);
+                av_strlcpy(rt->app, path + 1, FFMIN(p - path, APP_MAX_LENGTH));
             } else {
                 fname++;
-                av_strlcpy(rt->app, path + 1, fname - path - 1);
+                av_strlcpy(rt->app, path + 1, FFMIN(fname - path - 1, APP_MAX_LENGTH));
             }
         }
     }
-- 
GitLab