Ronald S. Bultje <rsbul...@gmail.com> added the comment: > + /* RFC 3550 Section 5.3.1 RTP Header Extension handling */ > + if (ext) { > + if (len < 4) > + return -1; > + // retrieve header extension length (number of 32-bit words) > + ext = AV_RB16(buf + 2); > + > + // add header extension itself to extension length > + ext++; > + > + // convert header extension length to bytes > + ext <<= 2;
ext = (AV_RB16(..) + 1) << 2;, this isn't barbie-code. + // abort if extension length exceeds remaining buffer length + if (len < ext) + return -1; + + // skip past RTP header extension + len -= ext; + buf += ext; + } Rest OK. ________________________________________________ FFmpeg issue tracker <iss...@roundup.ffmpeg.org> <https://roundup.ffmpeg.org/issue2270> ________________________________________________