diff options
| author | Ivan Kovtunov | 2012-05-04 22:31:46 +0300 |
|---|---|---|
| committer | Martin Storsjö | 2012-05-05 03:09:07 +0300 |
| commit | de26a4b6993ff3dc91f17d110326736c96bfc9ec (patch) | |
| tree | b0ff37abaf6911e8d2f95a9b4bab3a9adc898675 /libavformat | |
| parent | d2205d6543881f2e6fa18c8a354bbcf91a1235f7 (diff) | |
rtpdec_h264: Add input size checks
This fixes crashes if given too short data packets.
Signed-off-by: Martin Storsjö <martin@martin.st>
Diffstat (limited to 'libavformat')
| -rw-r--r-- | libavformat/rtpdec_h264.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/libavformat/rtpdec_h264.c b/libavformat/rtpdec_h264.c index 32a57d3ec7..51447f9703 100644 --- a/libavformat/rtpdec_h264.c +++ b/libavformat/rtpdec_h264.c @@ -173,11 +173,18 @@ static int h264_handle_packet(AVFormatContext *ctx, const uint8_t * buf, int len, int flags) { - uint8_t nal = buf[0]; - uint8_t type = (nal & 0x1f); + uint8_t nal; + uint8_t type; int result= 0; uint8_t start_sequence[] = { 0, 0, 0, 1 }; + if (!len) { + av_log(ctx, AV_LOG_ERROR, "Empty H264 RTP packet\n"); + return AVERROR_INVALIDDATA; + } + nal = buf[0]; + type = nal & 0x1f; + #ifdef DEBUG assert(data); assert(data->cookie == MAGIC_COOKIE); @@ -271,7 +278,7 @@ static int h264_handle_packet(AVFormatContext *ctx, case 28: // FU-A (fragmented nal) buf++; len--; // skip the fu_indicator - { + if (len > 1) { // these are the same as above, we just redo them here for clarity... uint8_t fu_indicator = nal; uint8_t fu_header = *buf; // read the fu_header. @@ -302,6 +309,9 @@ static int h264_handle_packet(AVFormatContext *ctx, av_new_packet(pkt, len); memcpy(pkt->data, buf, len); } + } else { + av_log(ctx, AV_LOG_ERROR, "Too short data for FU-A H264 RTP packet\n"); + result = AVERROR_INVALIDDATA; } break; |