[FFmpeg-devel] [patch]MMS protocol over TCP

zhentan feng spyfeng
Wed Apr 7 19:52:26 CEST 2010


Hi

On Tue, Mar 30, 2010 at 6:42 AM, Michael Niedermayer <michaelni at gmx.at>wrote:

> On Sun, Mar 28, 2010 at 12:13:24AM +0800, zhentan feng wrote:
> [...]
> > +
> > +/** Read incoming MMST media, header or command packet. */
> > +static MMSSCPacketType get_tcp_server_response(MMSContext *mms)
> > +{
> > +    int read_result;
> > +    MMSSCPacketType packet_type= -1;
> > +    int done;
> > +
> > +    do {
> > +        done= 1;
> > +        if((read_result= url_read_complete(mms->mms_hd,
> mms->incoming_buffer, 8))==8) {
> > +            // handle command packet.
> > +            if(AV_RL32(mms->incoming_buffer + 4)==0xb00bface) {
> > +                mms->incoming_flags= mms->incoming_buffer[3];
> > +                read_result= url_read_complete(mms->mms_hd,
> mms->incoming_buffer+8, 4);
> > +                if(read_result == 4) {
> > +                    int length_remaining=
> AV_RL32(mms->incoming_buffer+8) + 4;
> > +
> > +                    dprintf(NULL, "Length remaining is %d\n",
> length_remaining);
> > +                    // read the rest of the packet.
> > +                    read_result = url_read_complete(mms->mms_hd,
> mms->incoming_buffer + 12,
> > +                                                  length_remaining) ;
> > +                    if (read_result == length_remaining) {
> > +                        mms->incoming_buffer_length=
> length_remaining+12;
> > +                        packet_type= AV_RL16(mms->incoming_buffer+36);
> > +
> > +                    } else {
> > +                        dprintf(NULL, "3 read returned %d!\n",
> read_result);
> > +                    }
> > +                } else {
> > +                    dprintf(NULL, "2 read returned %d!\n", read_result);
> > +                }
>
> > +            } else {
> > +                int length_remaining;
> > +                int packet_id_type;
> > +                int tmp;
> > +
> > +                assert(mms->pkt_buf_len==0);
> > +
> > +                //** VERIFY LENGTH REMAINING HAS SPACE
> > +                // note we cache the first 8 bytes,
> > +                // then fill up the buffer with the others
> > +                tmp                       = AV_RL16(mms->incoming_buffer
> + 6);
> > +                length_remaining          = (tmp - 8) & 0xffff;
> > +                mms->incoming_packet_seq  =
> AV_RL32(mms->incoming_buffer);
> > +                packet_id_type            = mms->incoming_buffer[4];
> > +                mms->incoming_flags       = mms->incoming_buffer[5];
> > +                mms->pkt_buf_len          = length_remaining;
> > +                mms->pkt_read_ptr         = mms->incoming_buffer;
> > +
> > +                read_result= url_read_complete(mms->mms_hd,
> mms->incoming_buffer, length_remaining);
>
> is there any check for not overwriting the array bounds?
>
>
see patch file check_bounds.patch.


> > +                if(read_result != length_remaining) {
> > +                    dprintf(NULL, "read_bytes result: %d asking for
> %d\n",
> > +                            read_result, length_remaining);
> > +                    break;
> > +                } else {
> > +                    // if we successfully read everything.
> > +                    if(packet_id_type == mms->header_packet_id) {
> > +                        packet_type = SC_PKT_ASF_HEADER;
> > +                        // Store the asf header
> > +                        if(!mms->header_parsed) {
>
> > +                            mms->asf_header =
> av_realloc(mms->asf_header,
> > +                                              mms->asf_header_size
> > +                                              + mms->pkt_buf_len);
>
> missing check for realloc failure
> also can mms->asf_header_size + mms->pkt_buf_len overflow? if so it
> must be checked
>
> see patch file check_realloc_failed.patch.


>
> > +                            memcpy(mms->asf_header +
> mms->asf_header_size,
> > +                                                 mms->pkt_read_ptr,
> > +                                                 mms->pkt_buf_len);
> > +                            mms->asf_header_size += mms->pkt_buf_len;
> > +                        }
> > +                    } else if(packet_id_type == mms->packet_id) {
> > +                        packet_type = SC_PKT_ASF_MEDIA;
> > +                    } else {
> > +                        dprintf(NULL, "packet id type %d is old.",
> packet_id_type);
> > +                        done= 0;
> > +                    }
> > +                }
> > +            }
> > +        } else {
> > +            if(read_result<0) {
> > +                dprintf(NULL, "Read error (or cancelled) returned
> %d!\n", read_result);
> > +                packet_type = SC_PKT_CANCEL;
> > +            } else {
> > +                dprintf(NULL, "Read result of zero?!\n");
> > +                packet_type = SC_PKT_NO_DATA;
> > +            }
>
> > +            done = 1;
>
> can done be anything else than 1 here?
>
>
> [...]
> > +static int asf_header_parser(MMSContext *mms)
> > +{
> > +    uint8_t *p = mms->asf_header, *end = mms->asf_header +
> mms->asf_header_size;
> > +    mms->stream_num = 0;
> > +
> > +    if (mms->asf_header_size < sizeof(ff_asf_guid) * 2 + 22 ||
> > +        memcmp(p, ff_asf_header, sizeof(ff_asf_guid)))
> > +        return -1;
> > +
> > +    p += sizeof(ff_asf_guid) + 14;
> > +    do {
> > +        uint64_t chunksize = AV_RL64(p + sizeof(ff_asf_guid));
> > +        if (!memcmp(p, ff_asf_file_header, sizeof(ff_asf_guid))) {
> > +            /* read packet size */
> > +            if (end - p > sizeof(ff_asf_guid) * 2 + 68) {
> > +                mms->asf_packet_len = AV_RL32(p + sizeof(ff_asf_guid) *
> 2 + 64);
> > +            }
> > +        } else if (!memcmp(p, ff_asf_stream_header,
> sizeof(ff_asf_guid))) {
> > +            mms->stream_num++;
>
> shouldnt the number be limited somehow? at some place in the code
> you write data for each stream into a fixed size buffer
>
>
see patch file  stream_num.patch

>
> [...]
> > +static int mms_open_cnx(URLContext *h, const char *url)
>
> why is this a seperate function?
>
>
> see patch file remove_funtion.patch


> [...]
>
>
at last, here is the new version patch for MMST proctocol version 5.
please review.
thanks

zhentan
-- 
Best wishes~
-------------- next part --------------
A non-text attachment was scrubbed...
Name: check_bounds.patch
Type: application/octet-stream
Size: 1479 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20100408/cac950a8/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: check_realloc_failed.patch
Type: application/octet-stream
Size: 674 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20100408/cac950a8/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stream_num.patch
Type: application/octet-stream
Size: 1975 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20100408/cac950a8/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: remove_function.patch
Type: application/octet-stream
Size: 1256 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20100408/cac950a8/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mmst_5.patch
Type: application/octet-stream
Size: 26590 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20100408/cac950a8/attachment-0004.obj>



More information about the ffmpeg-devel mailing list