From 71f92aca8d631cbc800c8eed235535e0b0a52991 Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@qip.ru>
Date: Fri, 29 Jun 2012 17:20:36 +0400
Subject: [PATCH] implemented safe amf parser: now source chain is kept
 unchanged

---
 ngx_rtmp_amf.c     | 19 ++++++++++---------
 ngx_rtmp_amf.h     |  1 +
 ngx_rtmp_receive.c |  6 ++++++
 3 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/ngx_rtmp_amf.c b/ngx_rtmp_amf.c
index d4df024..a5573fd 100644
--- a/ngx_rtmp_amf.c
+++ b/ngx_rtmp_amf.c
@@ -61,9 +61,10 @@ ngx_rtmp_amf_debug(const char* op, ngx_log_t *log, u_char *p, size_t n)
 static ngx_int_t
 ngx_rtmp_amf_get(ngx_rtmp_amf_ctx_t *ctx, void *p, size_t n)
 {
-    ngx_buf_t      *b;
     size_t          size;
     ngx_chain_t    *l;
+    size_t          offset;
+    u_char         *pos, *last;
 #ifdef NGX_DEBUG
     void           *op = p;
     size_t          on = n;
@@ -72,16 +73,16 @@ ngx_rtmp_amf_get(ngx_rtmp_amf_ctx_t *ctx, void *p, size_t n)
     if (!n)
         return NGX_OK;
 
-    for(l = ctx->link; l; l = l->next) {
+    for(l = ctx->link, offset = ctx->offset; l; l = l->next, offset = 0) {
 
-        b = l->buf;
+        pos  = l->buf->pos + offset;
+        last = l->buf->last;
 
-        if (b->last >= n + b->pos) {
+        if (last >= pos + n) {
             if (p) {
-                p = ngx_cpymem(p, b->pos, n);
+                p = ngx_cpymem(p, pos, n);
             }
-            b->pos += n;
-
+            ctx->offset = offset + n;
             ctx->link = l;
             
 #ifdef NGX_DEBUG
@@ -91,10 +92,10 @@ ngx_rtmp_amf_get(ngx_rtmp_amf_ctx_t *ctx, void *p, size_t n)
             return NGX_OK;
         }
 
-        size = b->last - b->pos;
+        size = last - pos;
 
         if (p) {
-            p = ngx_cpymem(p, b->pos, size);
+            p = ngx_cpymem(p, pos, size);
         }
 
         n -= size;
diff --git a/ngx_rtmp_amf.h b/ngx_rtmp_amf.h
index 06d40f8..1f3ae3c 100644
--- a/ngx_rtmp_amf.h
+++ b/ngx_rtmp_amf.h
@@ -49,6 +49,7 @@ typedef ngx_chain_t * (*ngx_rtmp_amf_alloc_pt)(void *arg);
 
 typedef struct {
     ngx_chain_t                        *link, *first;
+    size_t                              offset;
     ngx_rtmp_amf_alloc_pt               alloc;
     void                               *arg;
     ngx_log_t                          *log;
diff --git a/ngx_rtmp_receive.c b/ngx_rtmp_receive.c
index a3f1c36..f344e7e 100644
--- a/ngx_rtmp_receive.c
+++ b/ngx_rtmp_receive.c
@@ -206,6 +206,7 @@ ngx_rtmp_amf_message_handler(ngx_rtmp_session_t *s,
     cmcf = ngx_rtmp_get_module_main_conf(s, ngx_rtmp_core_module);
 
     /* read AMF func name & transaction id */
+    ngx_memzero(&act, sizeof(act));
     act.link = in;
     act.log = s->connection->log;
     memset(func, 0, sizeof(func));
@@ -218,6 +219,10 @@ ngx_rtmp_amf_message_handler(ngx_rtmp_session_t *s,
         return NGX_ERROR;
     }
 
+    /* skip name */
+    in = act.link;
+    in->buf->pos += act.offset;
+
     len = ngx_strlen(func);
 
     ch = ngx_hash_find(&cmcf->amf_hash, 
@@ -251,6 +256,7 @@ ngx_rtmp_receive_amf(ngx_rtmp_session_t *s, ngx_chain_t *in,
 {
     ngx_rtmp_amf_ctx_t     act;
 
+    ngx_memzero(&act, sizeof(act));
     act.link = in;
     act.log = s->connection->log;