From 6583e00d501ee3fd487ca2bfef10a180e5e10c0b Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <jsteffens@make.tv>
Date: Fri, 14 Feb 2020 12:20:32 +0100
Subject: [PATCH] rtmp2: Reject oversized messages

We only have 24 bits for the size, so reject anything larger.
---
 gst/rtmp2/rtmp/rtmpchunkstream.c | 2 ++
 gst/rtmp2/rtmp/rtmpmessage.h     | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/gst/rtmp2/rtmp/rtmpchunkstream.c b/gst/rtmp2/rtmp/rtmpchunkstream.c
index 1a25597b87..1ea106474d 100644
--- a/gst/rtmp2/rtmp/rtmpchunkstream.c
+++ b/gst/rtmp2/rtmp/rtmpchunkstream.c
@@ -188,6 +188,8 @@ select_chunk_type (GstRtmpChunkStream * cstream, GstBuffer * buffer)
   meta->size = gst_buffer_get_size (buffer);
   meta->cstream = cstream->id;
 
+  g_return_val_if_fail (meta->size <= GST_RTMP_MAXIMUM_MESSAGE_SIZE, -1);
+
   if (!old_buffer) {
     GST_TRACE ("Picking header 0: no previous header");
     meta->ts_delta = dts_to_abs_ts (buffer);
diff --git a/gst/rtmp2/rtmp/rtmpmessage.h b/gst/rtmp2/rtmp/rtmpmessage.h
index 9761d58159..ff4bef8722 100644
--- a/gst/rtmp2/rtmp/rtmpmessage.h
+++ b/gst/rtmp2/rtmp/rtmpmessage.h
@@ -25,6 +25,8 @@
 
 G_BEGIN_DECLS
 
+#define GST_RTMP_MAXIMUM_MESSAGE_SIZE 0xFFFFFF
+
 typedef enum {
   GST_RTMP_MESSAGE_TYPE_INVALID = 0,
   GST_RTMP_MESSAGE_TYPE_SET_CHUNK_SIZE = 1,