From 9a22da82cf8ad9a90a11186304148635b1f6e800 Mon Sep 17 00:00:00 2001
From: ireader <tao3@outlook.com>
Date: Tue, 3 May 2022 22:12:47 +0800
Subject: [PATCH] fix flv-parser memory overflow

---
 libflv/source/flv-parser.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/libflv/source/flv-parser.c b/libflv/source/flv-parser.c
index 764494b8..f5230ab7 100644
--- a/libflv/source/flv-parser.c
+++ b/libflv/source/flv-parser.c
@@ -93,7 +93,14 @@ int flv_parser_tag(int type, const void* data, size_t bytes, uint32_t timestamp,
 static size_t flv_parser_append(struct flv_parser_t* parser, const uint8_t* data, size_t bytes, size_t expect)
 {
 	size_t n;
-	assert(parser->bytes <= expect && expect <= sizeof(parser->ptr));
+	if (parser->bytes > expect || expect > sizeof(parser->ptr))
+	{
+		// invalid status, consume all
+		assert(0);
+		parser->bytes = expect;
+		return bytes;
+	}
+
 	n = parser->bytes + bytes >= expect ? expect - parser->bytes : bytes;
 	if (n > 0)
 	{
@@ -180,6 +187,11 @@ int flv_parser_input(struct flv_parser_t* parser, const uint8_t* data, size_t by
 			case FLV_TYPE_SCRIPT:
 				parser->expect = 0;
 				n = 0; // noops
+				break;
+
+			default:
+				assert(0);
+				return -1; // invalid flv file
 			}
 			parser->state = FLV_AVHEADER_EXTRA;
 			break;