AzureRTMPIngestLib icon indicating copy to clipboard operation
AzureRTMPIngestLib copied to clipboard

Published 20 hours ago verified publisher icon MicrosoftDX

Parsing EcmaArray containing `\t` corrupts entire payload

Open mailiam opened this issue 6 years ago • 1 comments

https://github.com/MicrosoftDX/AzureRTMPIngestLib/blob/25efad3d60014d438e85dcbc8c91408d323ff725/RTMPPublisher/Microsoft.Media.RTMP/RTMPMessageFormats.h#L691

Checking for AMF0TypeMarker::ObjectEnd('\t') blindly through rest of payload may throw access violation exception.

For example, payload like below causes issue where string length is 9(\t)

\b \0\0\0\x1 
    \0\a version 
    \x2 \0\t 0,0,0,000
\0\0\t

Will PR with the fix sooner or later

mailiam avatar Nov 19 '19 10:11 mailiam

Happens the same here, arrays should be parsed accordingly or any "9" unsigned char will be considered end of array and it will be parsed improperly.

For now I replaced that code with a quick hack, but needs to be parsed completely:

            else if (type == AMF0TypeMarker::EcmaArray)
            {
              // First we skip the array length, 4 bytes
              itr += 4;

              while (itr[0] != 0 && itr[1] != 0 && itr[2] != AMF0TypeMarker::ObjectEnd)
                  ++itr;
             
              itr += 3;//go past the object end marker

              if (inObject)
                curPropKey = L"";
            }

As you can see, it will still fail if it encounters the sequence \0\0\t anywhere within the array, but it's a bit less likely.

andreasanta avatar Aug 23 '20 13:08 andreasanta