On 03/10/13 14:05, Martin Storsjö wrote: > This wasn't an issue prior to 58404738, when the whole RTMP packet > was copied at once and the length of the individual embedded flv > packets only were validated by the flv demuxer. > > Prior to this patch, this could lead to reads and writes out of bound. > --- > libavformat/rtmpproto.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c > index da4b8ae..db0ebb1 100644 > --- a/libavformat/rtmpproto.c > +++ b/libavformat/rtmpproto.c > @@ -2221,6 +2221,8 @@ static int handle_metadata(RTMPContext *rt, RTMPPacket > *pkt) > pts = cts; > ts += cts - pts; > pts = cts; > + if (size + 3 + 4 > pkt->data + pkt->size - next)
Ok. _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
