fix flv-parser memory overflow

J-Sai · May 3, 2022 · 9a22da8 · 9a22da8
1 parent ecac953
commit 9a22da8
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/libflv/source/flv-parser.c b/libflv/source/flv-parser.c
@@ -93,7 +93,14 @@ int flv_parser_tag(int type, const void* data, size_t bytes, uint32_t timestamp,
 static size_t flv_parser_append(struct flv_parser_t* parser, const uint8_t* data, size_t bytes, size_t expect)
 {
 	size_t n;
-	assert(parser->bytes <= expect && expect <= sizeof(parser->ptr));
+	if (parser->bytes > expect || expect > sizeof(parser->ptr))
+	{
+		// invalid status, consume all
+		assert(0);
+		parser->bytes = expect;
+		return bytes;
+	}
+
 	n = parser->bytes + bytes >= expect ? expect - parser->bytes : bytes;
 	if (n > 0)
 	{
@@ -180,6 +187,11 @@ int flv_parser_input(struct flv_parser_t* parser, const uint8_t* data, size_t by
 			case FLV_TYPE_SCRIPT:
 				parser->expect = 0;
 				n = 0; // noops
+				break;
+
+			default:
+				assert(0);
+				return -1; // invalid flv file
 			}
 			parser->state = FLV_AVHEADER_EXTRA;
 			break;