xmv: Add more sanity checks for parameters read from the bitstream
[libav.git] / libavformat / rtmppkt.c
1 /*
2 * RTMP input format
3 * Copyright (c) 2009 Konstantin Shishkov
4 *
5 * This file is part of Libav.
6 *
7 * Libav is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * Libav is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with Libav; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 */
21
22 #include "libavcodec/bytestream.h"
23 #include "libavutil/avstring.h"
24 #include "libavutil/intfloat.h"
25 #include "avformat.h"
26
27 #include "rtmppkt.h"
28 #include "flv.h"
29 #include "url.h"
30
31 void ff_amf_write_bool(uint8_t **dst, int val)
32 {
33 bytestream_put_byte(dst, AMF_DATA_TYPE_BOOL);
34 bytestream_put_byte(dst, val);
35 }
36
37 void ff_amf_write_number(uint8_t **dst, double val)
38 {
39 bytestream_put_byte(dst, AMF_DATA_TYPE_NUMBER);
40 bytestream_put_be64(dst, av_double2int(val));
41 }
42
43 void ff_amf_write_string(uint8_t **dst, const char *str)
44 {
45 bytestream_put_byte(dst, AMF_DATA_TYPE_STRING);
46 bytestream_put_be16(dst, strlen(str));
47 bytestream_put_buffer(dst, str, strlen(str));
48 }
49
50 void ff_amf_write_string2(uint8_t **dst, const char *str1, const char *str2)
51 {
52 int len1 = 0, len2 = 0;
53 if (str1)
54 len1 = strlen(str1);
55 if (str2)
56 len2 = strlen(str2);
57 bytestream_put_byte(dst, AMF_DATA_TYPE_STRING);
58 bytestream_put_be16(dst, len1 + len2);
59 bytestream_put_buffer(dst, str1, len1);
60 bytestream_put_buffer(dst, str2, len2);
61 }
62
63 void ff_amf_write_null(uint8_t **dst)
64 {
65 bytestream_put_byte(dst, AMF_DATA_TYPE_NULL);
66 }
67
68 void ff_amf_write_object_start(uint8_t **dst)
69 {
70 bytestream_put_byte(dst, AMF_DATA_TYPE_OBJECT);
71 }
72
73 void ff_amf_write_field_name(uint8_t **dst, const char *str)
74 {
75 bytestream_put_be16(dst, strlen(str));
76 bytestream_put_buffer(dst, str, strlen(str));
77 }
78
79 void ff_amf_write_object_end(uint8_t **dst)
80 {
81 /* first two bytes are field name length = 0,
82 * AMF object should end with it and end marker
83 */
84 bytestream_put_be24(dst, AMF_DATA_TYPE_OBJECT_END);
85 }
86
87 int ff_amf_read_bool(GetByteContext *bc, int *val)
88 {
89 if (bytestream2_get_byte(bc) != AMF_DATA_TYPE_BOOL)
90 return AVERROR_INVALIDDATA;
91 *val = bytestream2_get_byte(bc);
92 return 0;
93 }
94
95 int ff_amf_read_number(GetByteContext *bc, double *val)
96 {
97 uint64_t read;
98 if (bytestream2_get_byte(bc) != AMF_DATA_TYPE_NUMBER)
99 return AVERROR_INVALIDDATA;
100 read = bytestream2_get_be64(bc);
101 *val = av_int2double(read);
102 return 0;
103 }
104
105 int ff_amf_read_string(GetByteContext *bc, uint8_t *str,
106 int strsize, int *length)
107 {
108 int stringlen = 0;
109 int readsize;
110 if (bytestream2_get_byte(bc) != AMF_DATA_TYPE_STRING)
111 return AVERROR_INVALIDDATA;
112 stringlen = bytestream2_get_be16(bc);
113 if (stringlen + 1 > strsize)
114 return AVERROR(EINVAL);
115 readsize = bytestream2_get_buffer(bc, str, stringlen);
116 if (readsize != stringlen) {
117 av_log(NULL, AV_LOG_WARNING,
118 "Unable to read as many bytes as AMF string signaled\n");
119 }
120 str[readsize] = '\0';
121 *length = FFMIN(stringlen, readsize);
122 return 0;
123 }
124
125 int ff_amf_read_null(GetByteContext *bc)
126 {
127 if (bytestream2_get_byte(bc) != AMF_DATA_TYPE_NULL)
128 return AVERROR_INVALIDDATA;
129 return 0;
130 }
131
132 int ff_rtmp_packet_read(URLContext *h, RTMPPacket *p,
133 int chunk_size, RTMPPacket *prev_pkt)
134 {
135 uint8_t hdr;
136
137 if (ffurl_read(h, &hdr, 1) != 1)
138 return AVERROR(EIO);
139
140 return ff_rtmp_packet_read_internal(h, p, chunk_size, prev_pkt, hdr);
141 }
142
143 int ff_rtmp_packet_read_internal(URLContext *h, RTMPPacket *p, int chunk_size,
144 RTMPPacket *prev_pkt, uint8_t hdr)
145 {
146
147 uint8_t t, buf[16];
148 int channel_id, timestamp, size, offset = 0;
149 uint32_t extra = 0;
150 enum RTMPPacketType type;
151 int written = 0;
152 int ret;
153
154 written++;
155 channel_id = hdr & 0x3F;
156
157 if (channel_id < 2) { //special case for channel number >= 64
158 buf[1] = 0;
159 if (ffurl_read_complete(h, buf, channel_id + 1) != channel_id + 1)
160 return AVERROR(EIO);
161 written += channel_id + 1;
162 channel_id = AV_RL16(buf) + 64;
163 }
164 size = prev_pkt[channel_id].size;
165 type = prev_pkt[channel_id].type;
166 extra = prev_pkt[channel_id].extra;
167
168 hdr >>= 6;
169 if (hdr == RTMP_PS_ONEBYTE) {
170 timestamp = prev_pkt[channel_id].ts_delta;
171 } else {
172 if (ffurl_read_complete(h, buf, 3) != 3)
173 return AVERROR(EIO);
174 written += 3;
175 timestamp = AV_RB24(buf);
176 if (hdr != RTMP_PS_FOURBYTES) {
177 if (ffurl_read_complete(h, buf, 3) != 3)
178 return AVERROR(EIO);
179 written += 3;
180 size = AV_RB24(buf);
181 if (ffurl_read_complete(h, buf, 1) != 1)
182 return AVERROR(EIO);
183 written++;
184 type = buf[0];
185 if (hdr == RTMP_PS_TWELVEBYTES) {
186 if (ffurl_read_complete(h, buf, 4) != 4)
187 return AVERROR(EIO);
188 written += 4;
189 extra = AV_RL32(buf);
190 }
191 }
192 if (timestamp == 0xFFFFFF) {
193 if (ffurl_read_complete(h, buf, 4) != 4)
194 return AVERROR(EIO);
195 timestamp = AV_RB32(buf);
196 }
197 }
198 if (hdr != RTMP_PS_TWELVEBYTES)
199 timestamp += prev_pkt[channel_id].timestamp;
200
201 if ((ret = ff_rtmp_packet_create(p, channel_id, type, timestamp,
202 size)) < 0)
203 return ret;
204 p->extra = extra;
205 // save history
206 prev_pkt[channel_id].channel_id = channel_id;
207 prev_pkt[channel_id].type = type;
208 prev_pkt[channel_id].size = size;
209 prev_pkt[channel_id].ts_delta = timestamp - prev_pkt[channel_id].timestamp;
210 prev_pkt[channel_id].timestamp = timestamp;
211 prev_pkt[channel_id].extra = extra;
212 while (size > 0) {
213 int toread = FFMIN(size, chunk_size);
214 if (ffurl_read_complete(h, p->data + offset, toread) != toread) {
215 ff_rtmp_packet_destroy(p);
216 return AVERROR(EIO);
217 }
218 size -= chunk_size;
219 offset += chunk_size;
220 written += chunk_size;
221 if (size > 0) {
222 if ((ret = ffurl_read_complete(h, &t, 1)) < 0) { // marker
223 ff_rtmp_packet_destroy(p);
224 return ret;
225 }
226 written++;
227 if (t != (0xC0 + channel_id))
228 return -1;
229 }
230 }
231 return written;
232 }
233
234 int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt,
235 int chunk_size, RTMPPacket *prev_pkt)
236 {
237 uint8_t pkt_hdr[16], *p = pkt_hdr;
238 int mode = RTMP_PS_TWELVEBYTES;
239 int off = 0;
240 int written = 0;
241 int ret;
242
243 pkt->ts_delta = pkt->timestamp - prev_pkt[pkt->channel_id].timestamp;
244
245 //if channel_id = 0, this is first presentation of prev_pkt, send full hdr.
246 if (prev_pkt[pkt->channel_id].channel_id &&
247 pkt->extra == prev_pkt[pkt->channel_id].extra) {
248 if (pkt->type == prev_pkt[pkt->channel_id].type &&
249 pkt->size == prev_pkt[pkt->channel_id].size) {
250 mode = RTMP_PS_FOURBYTES;
251 if (pkt->ts_delta == prev_pkt[pkt->channel_id].ts_delta)
252 mode = RTMP_PS_ONEBYTE;
253 } else {
254 mode = RTMP_PS_EIGHTBYTES;
255 }
256 }
257
258 if (pkt->channel_id < 64) {
259 bytestream_put_byte(&p, pkt->channel_id | (mode << 6));
260 } else if (pkt->channel_id < 64 + 256) {
261 bytestream_put_byte(&p, 0 | (mode << 6));
262 bytestream_put_byte(&p, pkt->channel_id - 64);
263 } else {
264 bytestream_put_byte(&p, 1 | (mode << 6));
265 bytestream_put_le16(&p, pkt->channel_id - 64);
266 }
267 if (mode != RTMP_PS_ONEBYTE) {
268 uint32_t timestamp = pkt->timestamp;
269 if (mode != RTMP_PS_TWELVEBYTES)
270 timestamp = pkt->ts_delta;
271 bytestream_put_be24(&p, timestamp >= 0xFFFFFF ? 0xFFFFFF : timestamp);
272 if (mode != RTMP_PS_FOURBYTES) {
273 bytestream_put_be24(&p, pkt->size);
274 bytestream_put_byte(&p, pkt->type);
275 if (mode == RTMP_PS_TWELVEBYTES)
276 bytestream_put_le32(&p, pkt->extra);
277 }
278 if (timestamp >= 0xFFFFFF)
279 bytestream_put_be32(&p, timestamp);
280 }
281 // save history
282 prev_pkt[pkt->channel_id].channel_id = pkt->channel_id;
283 prev_pkt[pkt->channel_id].type = pkt->type;
284 prev_pkt[pkt->channel_id].size = pkt->size;
285 prev_pkt[pkt->channel_id].timestamp = pkt->timestamp;
286 if (mode != RTMP_PS_TWELVEBYTES) {
287 prev_pkt[pkt->channel_id].ts_delta = pkt->ts_delta;
288 } else {
289 prev_pkt[pkt->channel_id].ts_delta = pkt->timestamp;
290 }
291 prev_pkt[pkt->channel_id].extra = pkt->extra;
292
293 if ((ret = ffurl_write(h, pkt_hdr, p - pkt_hdr)) < 0)
294 return ret;
295 written = p - pkt_hdr + pkt->size;
296 while (off < pkt->size) {
297 int towrite = FFMIN(chunk_size, pkt->size - off);
298 if ((ret = ffurl_write(h, pkt->data + off, towrite)) < 0)
299 return ret;
300 off += towrite;
301 if (off < pkt->size) {
302 uint8_t marker = 0xC0 | pkt->channel_id;
303 if ((ret = ffurl_write(h, &marker, 1)) < 0)
304 return ret;
305 written++;
306 }
307 }
308 return written;
309 }
310
311 int ff_rtmp_packet_create(RTMPPacket *pkt, int channel_id, RTMPPacketType type,
312 int timestamp, int size)
313 {
314 if (size) {
315 pkt->data = av_malloc(size);
316 if (!pkt->data)
317 return AVERROR(ENOMEM);
318 }
319 pkt->size = size;
320 pkt->channel_id = channel_id;
321 pkt->type = type;
322 pkt->timestamp = timestamp;
323 pkt->extra = 0;
324 pkt->ts_delta = 0;
325
326 return 0;
327 }
328
329 void ff_rtmp_packet_destroy(RTMPPacket *pkt)
330 {
331 if (!pkt)
332 return;
333 av_freep(&pkt->data);
334 pkt->size = 0;
335 }
336
337 int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end)
338 {
339 const uint8_t *base = data;
340
341 if (data >= data_end)
342 return -1;
343 switch (*data++) {
344 case AMF_DATA_TYPE_NUMBER: return 9;
345 case AMF_DATA_TYPE_BOOL: return 2;
346 case AMF_DATA_TYPE_STRING: return 3 + AV_RB16(data);
347 case AMF_DATA_TYPE_LONG_STRING: return 5 + AV_RB32(data);
348 case AMF_DATA_TYPE_NULL: return 1;
349 case AMF_DATA_TYPE_ARRAY:
350 data += 4;
351 case AMF_DATA_TYPE_OBJECT:
352 for (;;) {
353 int size = bytestream_get_be16(&data);
354 int t;
355 if (!size) {
356 data++;
357 break;
358 }
359 if (size < 0 || size >= data_end - data)
360 return -1;
361 data += size;
362 t = ff_amf_tag_size(data, data_end);
363 if (t < 0 || t >= data_end - data)
364 return -1;
365 data += t;
366 }
367 return data - base;
368 case AMF_DATA_TYPE_OBJECT_END: return 1;
369 default: return -1;
370 }
371 }
372
373 int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
374 const uint8_t *name, uint8_t *dst, int dst_size)
375 {
376 int namelen = strlen(name);
377 int len;
378
379 while (*data != AMF_DATA_TYPE_OBJECT && data < data_end) {
380 len = ff_amf_tag_size(data, data_end);
381 if (len < 0)
382 len = data_end - data;
383 data += len;
384 }
385 if (data_end - data < 3)
386 return -1;
387 data++;
388 for (;;) {
389 int size = bytestream_get_be16(&data);
390 if (!size)
391 break;
392 if (size < 0 || size >= data_end - data)
393 return -1;
394 data += size;
395 if (size == namelen && !memcmp(data-size, name, namelen)) {
396 switch (*data++) {
397 case AMF_DATA_TYPE_NUMBER:
398 snprintf(dst, dst_size, "%g", av_int2double(AV_RB64(data)));
399 break;
400 case AMF_DATA_TYPE_BOOL:
401 snprintf(dst, dst_size, "%s", *data ? "true" : "false");
402 break;
403 case AMF_DATA_TYPE_STRING:
404 len = bytestream_get_be16(&data);
405 av_strlcpy(dst, data, FFMIN(len+1, dst_size));
406 break;
407 default:
408 return -1;
409 }
410 return 0;
411 }
412 len = ff_amf_tag_size(data, data_end);
413 if (len < 0 || len >= data_end - data)
414 return -1;
415 data += len;
416 }
417 return -1;
418 }
419
420 static const char* rtmp_packet_type(int type)
421 {
422 switch (type) {
423 case RTMP_PT_CHUNK_SIZE: return "chunk size";
424 case RTMP_PT_BYTES_READ: return "bytes read";
425 case RTMP_PT_PING: return "ping";
426 case RTMP_PT_SERVER_BW: return "server bandwidth";
427 case RTMP_PT_CLIENT_BW: return "client bandwidth";
428 case RTMP_PT_AUDIO: return "audio packet";
429 case RTMP_PT_VIDEO: return "video packet";
430 case RTMP_PT_FLEX_STREAM: return "Flex shared stream";
431 case RTMP_PT_FLEX_OBJECT: return "Flex shared object";
432 case RTMP_PT_FLEX_MESSAGE: return "Flex shared message";
433 case RTMP_PT_NOTIFY: return "notification";
434 case RTMP_PT_SHARED_OBJ: return "shared object";
435 case RTMP_PT_INVOKE: return "invoke";
436 case RTMP_PT_METADATA: return "metadata";
437 default: return "unknown";
438 }
439 }
440
441 static void amf_tag_contents(void *ctx, const uint8_t *data,
442 const uint8_t *data_end)
443 {
444 unsigned int size;
445 char buf[1024];
446
447 if (data >= data_end)
448 return;
449 switch (*data++) {
450 case AMF_DATA_TYPE_NUMBER:
451 av_log(ctx, AV_LOG_DEBUG, " number %g\n", av_int2double(AV_RB64(data)));
452 return;
453 case AMF_DATA_TYPE_BOOL:
454 av_log(ctx, AV_LOG_DEBUG, " bool %d\n", *data);
455 return;
456 case AMF_DATA_TYPE_STRING:
457 case AMF_DATA_TYPE_LONG_STRING:
458 if (data[-1] == AMF_DATA_TYPE_STRING) {
459 size = bytestream_get_be16(&data);
460 } else {
461 size = bytestream_get_be32(&data);
462 }
463 size = FFMIN(size, sizeof(buf) - 1);
464 memcpy(buf, data, size);
465 buf[size] = 0;
466 av_log(ctx, AV_LOG_DEBUG, " string '%s'\n", buf);
467 return;
468 case AMF_DATA_TYPE_NULL:
469 av_log(ctx, AV_LOG_DEBUG, " NULL\n");
470 return;
471 case AMF_DATA_TYPE_ARRAY:
472 data += 4;
473 case AMF_DATA_TYPE_OBJECT:
474 av_log(ctx, AV_LOG_DEBUG, " {\n");
475 for (;;) {
476 int t;
477 size = bytestream_get_be16(&data);
478 av_strlcpy(buf, data, FFMIN(sizeof(buf), size + 1));
479 if (!size) {
480 av_log(ctx, AV_LOG_DEBUG, " }\n");
481 data++;
482 break;
483 }
484 if (size >= data_end - data)
485 return;
486 data += size;
487 av_log(ctx, AV_LOG_DEBUG, " %s: ", buf);
488 amf_tag_contents(ctx, data, data_end);
489 t = ff_amf_tag_size(data, data_end);
490 if (t < 0 || t >= data_end - data)
491 return;
492 data += t;
493 }
494 return;
495 case AMF_DATA_TYPE_OBJECT_END:
496 av_log(ctx, AV_LOG_DEBUG, " }\n");
497 return;
498 default:
499 return;
500 }
501 }
502
503 void ff_rtmp_packet_dump(void *ctx, RTMPPacket *p)
504 {
505 av_log(ctx, AV_LOG_DEBUG, "RTMP packet type '%s'(%d) for channel %d, timestamp %d, extra field %d size %d\n",
506 rtmp_packet_type(p->type), p->type, p->channel_id, p->timestamp, p->extra, p->size);
507 if (p->type == RTMP_PT_INVOKE || p->type == RTMP_PT_NOTIFY) {
508 uint8_t *src = p->data, *src_end = p->data + p->size;
509 while (src < src_end) {
510 int sz;
511 amf_tag_contents(ctx, src, src_end);
512 sz = ff_amf_tag_size(src, src_end);
513 if (sz < 0)
514 break;
515 src += sz;
516 }
517 } else if (p->type == RTMP_PT_SERVER_BW){
518 av_log(ctx, AV_LOG_DEBUG, "Server BW = %d\n", AV_RB32(p->data));
519 } else if (p->type == RTMP_PT_CLIENT_BW){
520 av_log(ctx, AV_LOG_DEBUG, "Client BW = %d\n", AV_RB32(p->data));
521 } else if (p->type != RTMP_PT_AUDIO && p->type != RTMP_PT_VIDEO && p->type != RTMP_PT_METADATA) {
522 int i;
523 for (i = 0; i < p->size; i++)
524 av_log(ctx, AV_LOG_DEBUG, " %02X", p->data[i]);
525 av_log(ctx, AV_LOG_DEBUG, "\n");
526 }
527 }
528
529 int ff_amf_match_string(const uint8_t *data, int size, const char *str)
530 {
531 int len = strlen(str);
532 int amf_len, type;
533
534 if (size < 1)
535 return 0;
536
537 type = *data++;
538
539 if (type != AMF_DATA_TYPE_LONG_STRING &&
540 type != AMF_DATA_TYPE_STRING)
541 return 0;
542
543 if (type == AMF_DATA_TYPE_LONG_STRING) {
544 if ((size -= 4 + 1) < 0)
545 return 0;
546 amf_len = bytestream_get_be32(&data);
547 } else {
548 if ((size -= 2 + 1) < 0)
549 return 0;
550 amf_len = bytestream_get_be16(&data);
551 }
552
553 if (amf_len > size)
554 return 0;
555
556 if (amf_len != len)
557 return 0;
558
559 return !memcmp(data, str, len);
560 }