Skip to content
This repository has been archived by the owner on Jun 17, 2024. It is now read-only.

Parsing EcmaArray containing \t corrupts entire payload #5

Open
mailiam opened this issue Nov 19, 2019 · 1 comment
Open

Parsing EcmaArray containing \t corrupts entire payload #5

mailiam opened this issue Nov 19, 2019 · 1 comment

Comments

@mailiam
Copy link

mailiam commented Nov 19, 2019
edited
Loading

AzureRTMPIngestLib/RTMPPublisher/Microsoft.Media.RTMP/RTMPMessageFormats.h

Line 691 in 25efad3

while (*itr != AMF0TypeMarker::ObjectEnd)

Checking for AMF0TypeMarker::ObjectEnd('\t') blindly through rest of payload may throw access violation exception.

For example, payload like below causes issue where string length is 9(\t)

\b \0\0\0\x1 
    \0\a version 
    \x2 \0\t 0,0,0,000
\0\0\t

Will PR with the fix sooner or later
@andreasanta
Copy link

Happens the same here, arrays should be parsed accordingly or any "9" unsigned char will be considered end of array and it will be parsed improperly.

For now I replaced that code with a quick hack, but needs to be parsed completely:

            else if (type == AMF0TypeMarker::EcmaArray)
            {
              // First we skip the array length, 4 bytes
              itr += 4;

              while (itr[0] != 0 && itr[1] != 0 && itr[2] != AMF0TypeMarker::ObjectEnd)
                  ++itr;
             
              itr += 3;//go past the object end marker

              if (inObject)
                curPropKey = L"";
            }

As you can see, it will still fail if it encounters the sequence \0\0\t anywhere within the array, but it's a bit less likely.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mailiam @andreasanta