Flash - How to fix the "Security sandbox violation: BitmapData.draw"

  • HOME
  • >
  • NEWS
  • >
  • Flash - How to fix the "Security sandbox violation: BitmapData.draw"
Published: , Last Updated:
May 4, 2020

👉 This post was initially written in 2009 and refered to specific software versions. When tunning your system, always consider which version you are running. Information below may be outdated. Use it at your own risk.

The "Security sandbox violation" message is a common problem for any Flash developer who try to do a Snapshot of an RTMP Stream. There was a couple of workaround but they stopped working since Flash Player 9.0.115 as it was considered as a possible bug. So, now how to do a proper snapshot of an RTMP stream ? The answer is simple but you'll need to have the control on the streaming server, whatever it is FMS or Red5.

Flash use a non documented part of the RTMP protocol. When the client connect to an RTMP stream, the server send a packet that will indicate to the client if it can allow access to the bitmap data (pixels) or/and the raw audio data.

Wireshark - Packet capture RtmpSampleAccess

Wireshark - Packet capture RtmpSampleAccess

Fix with FMS

I think what is working here for FMS is also working for Wowza servers but I never tried. To fix your problem with Flash Media Server, you can add this two simple line of code inside the application.onConnect function :

appClient.audioSampleAccess = "/";
appClient.videoSampleAccess = "/";

It seem that you can also just edit your application.xml file to add the following inside the Application node :

<AudioSampleAccess enabled="true">/</AudioSampleAccess>
<VideoSampleAccess enabled="true">/</VideoSampleAccess>

Beaware that using "/" will allow snapshot on all your streams, you can restrict it accordingly to your needs.

Fix with Red5

On last April I posted a patch to Red5 community that let you handle the problem in the same way that FMS does (Ticket #APPSERVER-315 #498). So, to let your client access the stream, you will need to edit the red5-web.xml of your application :

<bean id="rtmpSampleAccess" class="org.red5.server.stream.RtmpSampleAccess">
    <property name="audioAllowed" value="true"/>
    <property name="videoAllowed" value="true"/>
</bean>

All the Red5 project is designed to use beans which make this application quite flexible. So, in the same way, you can implement your own class and add every security check you want before allowing the access to your RTMP streams. All you need to do is implementing a new class with the IRtmpSampleAccess interface and create a bean using your class.

Even with those changes, you could still get the error message if the stream buffer is empty. So be sure to use a proper try/catch in your client application and also to listen for the "NetStatusEvent.NET_STATUS" event. You can start capturing data when the NET_STATUS event return an event.info.code as "NetStream.Buffer.Full" and stop capturing data on "NetStream.Buffer.Empty".

Related news posts that you may like
What's New in Focal Fossa Ubuntu 20.04 LTS?
Ubuntu 20.04 LTS is available for download. Find out some of the major security and performance improvements from this new distribution, including the introduction of WireGuard VPN, upgraded suite of software packages, faster boot time, etc.
What's New in GNU Bash 5?
Bash version 5 is generally available and comes with some important improvements and new features like BASH_ARGV0, EPOCHSECONDS, and EPOCHREALTIME.
Top 5 Machine Learning and Self-Healing Techniques used by SRE
Applying Machine Learning and Self-Healing techniques to the day operations of a production system has become common practices for most SREs. This post cover some real production use cases like automated failover, forecasting, anomalies detection, risk classification and so on.