Skip to content

reject zero-datasize flv tag in FlvReader::Read#3366

Open
sahvx655-wq wants to merge 1 commit into
apache:masterfrom
sahvx655-wq:flv-tag-zero-datasize
Open

reject zero-datasize flv tag in FlvReader::Read#3366
sahvx655-wq wants to merge 1 commit into
apache:masterfrom
sahvx655-wq:flv-tag-zero-datasize

Conversation

@sahvx655-wq

Copy link
Copy Markdown
Contributor

While reading FLV tags off a playback buffer I traced a stream that came back as one oversized message with the rest of the buffer swallowed. The DataSize in a video/audio tag header is a 3-byte field read straight off the wire in FlvReader::Read; the code then consumes the single VideoTagHeader/AudioTagHeader byte and cuts msg_size - 1 body bytes. When DataSize is 0 that subtraction wraps to 0xFFFFFFFF (msg_size is uint32_t), so cutn() drains everything left in the buffer into one message and desyncs every tag after it. A malicious or corrupt HTTP-FLV source can trigger it with a single 15-byte tag.

Reject DataSize of 0 with EINVAL before any bytes are consumed, since a valid audio/video tag always carries at least the one-byte codec header that the reader immediately reads. The guard sits next to the msg_size read so the underflow can never reach cutn(), and the same fix is applied to both the video and audio readers. Added a regression test that feeds a zero-DataSize tag and checks the reader errors without draining the buffer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant