From cfdabaefa24e846df26ebba124791f4c90302cfe Mon Sep 17 00:00:00 2001 From: sahvx655-wq Date: Wed, 3 Jun 2026 23:04:46 +0530 Subject: [PATCH 1/2] bounds-check OnUserControlMessage like sibling control handlers --- src/brpc/policy/rtmp_protocol.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/brpc/policy/rtmp_protocol.cpp b/src/brpc/policy/rtmp_protocol.cpp index d706468650..056e3a5af0 100644 --- a/src/brpc/policy/rtmp_protocol.cpp +++ b/src/brpc/policy/rtmp_protocol.cpp @@ -1925,8 +1925,8 @@ bool RtmpChunkStream::OnSetPeerBandwidth( bool RtmpChunkStream::OnUserControlMessage( const RtmpMessageHeader& mh, butil::IOBuf* msg_body, Socket* socket) { - if (mh.message_length > 32) { - RTMP_ERROR(socket, mh) << "No user control message long as " + if (mh.message_length < 2 || mh.message_length > 32) { + RTMP_ERROR(socket, mh) << "Invalid user control message length=" << mh.message_length << " bytes"; return false; } From 3585ce8f766b7d1004e709b883d9c2fd14a4322f Mon Sep 17 00:00:00 2001 From: sahvx655-wq Date: Tue, 16 Jun 2026 00:17:33 +0530 Subject: [PATCH 2/2] Use unsigned literals for user control message length bounds --- src/brpc/policy/rtmp_protocol.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/brpc/policy/rtmp_protocol.cpp b/src/brpc/policy/rtmp_protocol.cpp index 056e3a5af0..62322018d1 100644 --- a/src/brpc/policy/rtmp_protocol.cpp +++ b/src/brpc/policy/rtmp_protocol.cpp @@ -1925,7 +1925,7 @@ bool RtmpChunkStream::OnSetPeerBandwidth( bool RtmpChunkStream::OnUserControlMessage( const RtmpMessageHeader& mh, butil::IOBuf* msg_body, Socket* socket) { - if (mh.message_length < 2 || mh.message_length > 32) { + if (mh.message_length < 2u || mh.message_length > 32u) { RTMP_ERROR(socket, mh) << "Invalid user control message length=" << mh.message_length << " bytes"; return false;