Commit Graph

88 Commits

Author SHA1 Message Date
Michael Niedermayer
cedbef0394
avformat/rtmppkt: Simplify and deobfuscate amf_tag_skip() slightly
Found while reviewing: CID1530313 Untrusted loop bound

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2024-07-12 16:40:50 +02:00
Andreas Rheinhardt
790f793844 avutil/common: Don't auto-include mem.h
There are lots of files that don't need it: The number of object
files that actually need it went down from 2011 to 884 here.

Keep it for external users in order to not cause breakages.

Also improve the other headers a bit while just at it.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2024-03-31 00:08:43 +01:00
Steven Liu
c946e8d921 avformat/rtmppkt: add ff_amf_write_array for write
Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
2023-09-05 09:13:08 +08:00
Nick Ruff
ea24781a9b lavf/rtmp: Add option to set TCP_NODELAY for rtmp
Suggested-By: ffmpeg@fb.com
2021-06-20 22:45:35 +02:00
Andreas Rheinhardt
bb072a0369 avformat/rtmppkt: Only compile ff_rtmp_packet_dump if defined(DEBUG)
It is only used in this case.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-02-02 23:53:29 +01:00
Andreas Rheinhardt
82d5316c57 avformat/rtmppkt: Remove ff_amf_read_bool
Added in 50468f93e3, but never used.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-02-02 23:53:29 +01:00
James Almer
f858a6e278 Merge commit 'a1a143adb0fd11c474221431417cff25db7d920f'
* commit 'a1a143adb0fd11c474221431417cff25db7d920f':
  rtmp: Rename packet types to closer match the spec

Merged-by: James Almer <jamrial@gmail.com>
2017-09-26 18:29:05 -03:00
Michael Niedermayer
ffcc82219c avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2
Fixes: out of array accesses

Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-07-29 04:05:53 +02:00
Michael Niedermayer
08c073434e avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2
Fixes: out of array accesses
Fixes: crash-9238fa9e8d4fde3beda1f279626f53812cb001cb-SEGV

Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-07-29 03:54:39 +02:00
Clément Bœsch
65c3621d78 Merge commit 'a4fec9a7eab842ea5eea1b1ee98624356cb31422'
* commit 'a4fec9a7eab842ea5eea1b1ee98624356cb31422':
  rtmppkt: Check for packet size mismatches

See 7d57ca4d9a

Merged-by: Clément Bœsch <u@pkh.me>
2017-04-26 16:36:13 +02:00
Martin Storsjö
a1a143adb0 rtmp: Rename packet types to closer match the spec
Also rename comments and log messages accordingly,
and add clarifying comments for some hardcoded values.

The previous names were taken from older, reverse engineered
references.

These names match the official public rtmp specification, and
matches the names used by wirecast in annotating captured
streams. These names also avoid hardcoding the roles of server
and client, since the handling of them is irrelevant of whether
we act as server or client.

The RTMP_PT_PING type maps to RTMP_PT_USER_CONTROL.

The SERVER_BW and CLIENT_BW types are a bit more intertwined;
RTMP_PT_SERVER_BW maps to RTMP_PT_WINDOW_ACK_SIZE and
RTMP_PT_CLIENT_BW maps to RTMP_PT_SET_PEER_BW.

Signed-off-by: Martin Storsjö <martin@martin.st>
2017-02-03 09:26:46 +02:00
Michael Niedermayer
a4fec9a7ea rtmppkt: Check for packet size mismatches
When receiving fragmented packets, the first packet declares the size,
and the later ones normally are small follow-on packets that don't repeat
the size and the other header fields. But technically, the later fragments
also can have a full header, declaring a different size than the previous
packet.

If the follow-on packet declares a larger size than the initial one, we
could end up writing outside of the allocation.

This fixes out of bounds writes.

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
2016-12-15 15:45:59 +02:00
Michael Niedermayer
7d57ca4d9a avformat/rtmppkt: Check for packet size mismatches
Fixes out of array access

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 21:30:12 +01:00
Andrew Stone
dc926ab518 rtmp: support the AMF_DATE tag
Instead of returning EINVAL, which can cause a stream to fail to load, this
allows the tag to be passed through to the flv demuxer, where it's summarily
ignored.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-09-01 13:35:37 +02:00
Michael Niedermayer
6e69bf4a7e Merge commit '024e5a2d5ff8a94adce48abb15ce2fb471f9d18e'
* commit '024e5a2d5ff8a94adce48abb15ce2fb471f9d18e':
  rtmppkt: Repeat the full 32 bit timestamp for chunking continuation packets

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2015-01-15 14:45:29 +01:00
Martin Storsjö
024e5a2d5f rtmppkt: Repeat the full 32 bit timestamp for chunking continuation packets
This fixes sending chunked packets (packets larger than the output
chunk size, which often can be e.g. 4096 bytes) with a timestamp delta
(or absolute timstamp, if it's a timestamp step backwards, or the
first packet of the stream) larger than 0xffffffff.

The RTMP spec explicitly says (in section 5.3.1.3.) that packets of
type 3 (continuation packets) should include this field, if the
previous non-continuation packet had it included.

The receiving code handles these packets correctly.

Pointed out by Cheolho Park.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
2015-01-15 10:20:18 +02:00
Michael Niedermayer
900fff89c9 Merge commit '44127b157e9f8acb837d4bb3a094f56b40da3ef5'
* commit '44127b157e9f8acb837d4bb3a094f56b40da3ef5':
  rtmppkt: Make pkt->data reallocable

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2014-11-28 12:14:26 +01:00
Martin Storsjö
44127b157e rtmppkt: Make pkt->data reallocable
We try to avoid mixing av_malloc with av_realloc, since av_malloc
may be implemented with functions that can't (formally) be mixed
with the functions used in av_realloc.

Signed-off-by: Martin Storsjö <martin@martin.st>
2014-11-28 09:59:28 +02:00
Michael Niedermayer
6b9cbc9a11 Merge commit '3b18857ab301d2a0b3e86e9d85eed76f0798a29c'
* commit '3b18857ab301d2a0b3e86e9d85eed76f0798a29c':
  rtmppkt: Add method to read an AMF string that is not prefixed by its type

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2014-06-01 23:56:22 +02:00
Uwe L. Korn
3b18857ab3 rtmppkt: Add method to read an AMF string that is not prefixed by its type
Signed-off-by: Martin Storsjö <martin@martin.st>
2014-06-01 23:30:33 +03:00
kyh96403
f21c263c89 avformat/rtmppkt: Fix random crash
Fixes Ticket3564

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2014-04-23 15:10:42 +02:00
Michael Niedermayer
4fc339faea Merge remote-tracking branch 'qatar/master'
* qatar/master:
  rtmppkt: Rename the ts_delta field to ts_field

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2014-03-07 14:09:35 +01:00
Michael Niedermayer
9baef60ae4 Merge commit '8bbb02ae4f44f1cddc1ce1e74a71fa2022e93da3'
* commit '8bbb02ae4f44f1cddc1ce1e74a71fa2022e93da3':
  rtmppkt: Properly handle extended timestamps when writing

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2014-03-07 13:42:22 +01:00
Michael Niedermayer
94ec27131c Merge commit '48cfb5f4114048383a4ee85b2f500eefce24cad2'
* commit '48cfb5f4114048383a4ee85b2f500eefce24cad2':
  rtmppkt: Add a descriptive comment

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2014-03-07 12:58:43 +01:00
Michael Niedermayer
d540e7577a Merge commit '5b2ad78f97d43299adcb038c04346999fe9b196c'
* commit '5b2ad78f97d43299adcb038c04346999fe9b196c':
  rtmppkt: Handle extended timestamp field even for one-byte header

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2014-03-07 12:53:02 +01:00
Martin Storsjö
77eed91fab rtmppkt: Rename the ts_delta field to ts_field
Based on a suggestion by Martin Panter. This is more descriptive,
since it's the actual timestamp field from the RTMP packet,
which might or might not be a delta depending on context (in
some packets it's a delta, in some packets it's an absolute
timestamp, and in some packets it's 0xffffff to indicate that
the actual delta or absolute timestamp is transmitted separately).

Signed-off-by: Martin Storsjö <martin@martin.st>
2014-03-07 10:43:51 +02:00
Martin Panter
8bbb02ae4f rtmppkt: Properly handle extended timestamps when writing
Signed-off-by: Martin Storsjö <martin@martin.st>
2014-03-07 10:43:47 +02:00
Martin Panter
48cfb5f411 rtmppkt: Add a descriptive comment
Signed-off-by: Martin Storsjö <martin@martin.st>
2014-03-07 10:43:37 +02:00
Martin Panter
5b2ad78f97 rtmppkt: Handle extended timestamp field even for one-byte header
Related fix in "rtmpdump":
https://repo.or.cz/w/rtmpdump.git/commitdiff/79459a2

Adobe's RTMP specification (21 Dec 2012), section 5.3.1.3 ("Extended
Timestamp"), says "this field is present in Type 3 chunks". Type 3 chunks are
those with the one-byte header size.

This resolves intermittent hangs and segfaults caused by the read function,
and also includes an untested fix for the write function.

The read function was tested with ABC (Australia) News 24 streams, however
they are probably restricted to only Australian internet addresses. Some of
the packets at the start of these streams seem to contain junk timestamp
fields, often requiring the extended field. Test command:

avplay rtmp://cp81899.live.edgefcs.net/live/news24-med@28772

Signed-off-by: Martin Storsjö <martin@martin.st>
2014-03-07 10:43:26 +02:00
Michael Niedermayer
1c7d287044 Merge commit '89564be444d24f75ea5add8b6987e414cf7aa7d5'
* commit '89564be444d24f75ea5add8b6987e414cf7aa7d5':
  rtmpproto: Send a full, absolute timestamp if it isn't monotonically growing

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2014-01-21 04:20:50 +01:00
Martin Storsjö
89564be444 rtmpproto: Send a full, absolute timestamp if it isn't monotonically growing
The normal differential timestamps can't handle negative
differences, thus send a full packet header with an absolute
timestamp in these cases.

Signed-off-by: Martin Storsjö <martin@martin.st>
2014-01-20 21:57:02 +02:00
Michael Niedermayer
953dd72321 Merge commit '84a125c4c28f3e3e215d2e6c32f7f0ec43bbc04c'
* commit '84a125c4c28f3e3e215d2e6c32f7f0ec43bbc04c':
  rtmp: Allocate the prev_pkt arrays dynamically

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2013-10-14 15:31:11 +02:00
Martin Storsjö
84a125c4c2 rtmp: Allocate the prev_pkt arrays dynamically
Normally, all channel ids are between 0 and 10, while they in
uncommon cases can have values up to 64k.

This avoids allocating two arrays for up to 64k entries (at a total
of over 6 MB in size) each when most of them aren't used at all.

Signed-off-by: Martin Storsjö <martin@martin.st>
2013-10-14 14:27:35 +03:00
Michael Niedermayer
f3a02f4bc1 Merge commit '32a414f316c7f0eea877370e3f9d9f25afbf5da2'
* commit '32a414f316c7f0eea877370e3f9d9f25afbf5da2':
  rtmp: Support AMF_DATA_TYPE_MIXEDARRAY

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2013-09-23 11:31:13 +02:00
Luca Barbato
32a414f316 rtmp: Support AMF_DATA_TYPE_MIXEDARRAY
And fix the AMF_DATA_TYPE_ARRAY parsing while at it.

A MIXEDARRAY type, as the ARRAY, store the number of elements in
an uint32 before the list. The ARRAY is strict and does not have
an OBJECT terminator, MIXEDARRAY behaves like an OBJECT type and
a different than stated number of element can be present.
2013-09-22 01:06:42 +02:00
Michael Niedermayer
4131a3cb58 Merge commit '8583b14252deac71136f1dec231910abab0ba503'
* commit '8583b14252deac71136f1dec231910abab0ba503':
  rtmp: Support reading interleaved chunks.

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2013-09-18 12:09:06 +02:00
Josh Allmann
8583b14252 rtmp: Support reading interleaved chunks.
A given packet won't always come in contiguously; sometimes
they may be broken up on chunk boundaries by packets of another
channel.

This support primarily involves tracking information about the
data that's been read, so the reader can pick up where it left
off for a given channel.

As a side effect, we no longer over-report the bytes read if
(toread = MIN(size, chunk_size)) == size

Signed-off-by: Martin Storsjö <martin@martin.st>
2013-09-17 23:19:11 +03:00
Michael Niedermayer
15c92f8c48 Merge remote-tracking branch 'qatar/master'
* qatar/master:
  rtmp: Do not misuse memcmp

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2013-08-11 11:54:37 +02:00
Michael Niedermayer
06186a3160 Merge commit 'ba5393a609c723ec8ab7f9727c10fef734c09278'
* commit 'ba5393a609c723ec8ab7f9727c10fef734c09278':
  rtmp: rename data_size to size

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2013-08-11 11:11:40 +02:00
Luca Barbato
5718e3487b rtmp: Do not misuse memcmp
CC: libav-stable@libav.org
2013-08-11 01:19:27 +02:00
Luca Barbato
ba5393a609 rtmp: rename data_size to size 2013-08-10 13:49:09 +02:00
Michael Niedermayer
4d4f5911d3 Merge commit '28306e6d620c109ddd672f7243adfbc2bbb3b18f'
* commit '28306e6d620c109ddd672f7243adfbc2bbb3b18f':
  network: factor out bind-listening code
  use my full first name instead of short one in copyrights

Conflicts:
	libavformat/tcp.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2013-06-02 10:30:35 +02:00
Kostya Shishkov
de421b2085 use my full first name instead of short one in copyrights 2013-06-01 13:38:50 +02:00
Michael Niedermayer
a5ba4e186b Merge commit 'e926b5ceb1962833f0c884a328382bc2eca67aff'
* commit 'e926b5ceb1962833f0c884a328382bc2eca67aff':
  avformat: Drop unnecessary ff_ name prefixes from static functions

Conflicts:
	libavformat/audiointerleave.c
	libavformat/mux.c
	libavformat/mxfenc.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2013-05-01 18:28:48 +02:00
Diego Biurrun
e926b5ceb1 avformat: Drop unnecessary ff_ name prefixes from static functions 2013-04-30 16:16:23 +02:00
Xi Wang
ecb918e5f0 rtmp: fix buffer overflows in ff_amf_tag_contents()
A negative `size' will bypass FFMIN().  In the subsequent memcpy() call,
`size' will be considered as a large positive value, leading to a buffer
overflow.

Change the type of `size' to unsigned int to avoid buffer overflow, and
simplify overflow checks accordingly. Also change a literal buffer
size to use sizeof, and limit the amount of data copied in another
memcpy call as well.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
2013-01-23 13:51:28 +02:00
Xi Wang
3cff53369a rtmp: fix multiple broken overflow checks
Sanity checks like `data + size >= data_end || data + size < data' are
broken, because `data + size < data' assumes pointer overflow, which is
undefined behavior in C.  Many compilers such as gcc/clang optimize such
checks away.

Use `size < 0 || size >= data_end - data' instead.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
2013-01-23 13:51:27 +02:00
Xi Wang
4e692374f7 rtmp: fix buffer overflows in ff_amf_tag_contents()
A negative `size' will bypass FFMIN().  In the subsequent memcpy() call,
`size' will be considered as a large positive value, leading to a buffer
overflow.

Change the type of `size' to unsigned int to avoid buffer overflow, and
simplify overflow checks accordingly.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2013-01-23 05:29:59 +01:00
Xi Wang
902cfe2f74 rtmp: fix multiple broken overflow checks
Sanity checks like `data + size >= data_end || data + size < data' are
broken, because `data + size < data' assumes pointer overflow, which is
undefined behavior in C.  Many compilers such as gcc/clang optimize such
checks away.

Use `size < 0 || size >= data_end - data' instead.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2013-01-23 05:28:38 +01:00
Michael Niedermayer
c047a41bc5 Merge commit '33f28a3be3092f642778253d9529dd66fe2a014a'
* commit '33f28a3be3092f642778253d9529dd66fe2a014a':
  rtmp: Add a function for writing AMF strings based on two substrings
  rtmp: Return a proper error code in handle_invoke_error

Merged-by: Michael Niedermayer <michaelni@gmx.at>
2013-01-01 13:54:22 +01:00