On 28.02.2015 23:35, Clément Bœsch wrote:
On Sat, Feb 28, 2015 at 11:32:59PM +0100, Andreas Cadhalpun wrote:diff --git a/libavformat/rmenc.c b/libavformat/rmenc.c index 838388f..1567834 100644 --- a/libavformat/rmenc.c +++ b/libavformat/rmenc.c @@ -396,6 +396,10 @@ static int rm_write_video(AVFormatContext *s, const uint8_t *buf, int size, int /* Well, I spent some time finding the meaning of these bits. I am not sure I understood everything, but it works !! */ #if 1 + if (size > 0xFFFF - 7 - 4 - 12) { + av_log(s, AV_LOG_ERROR, "paket size %d too large\n", size); + return AVERROR(EINVAL); + }If anyone applies this, please fix the packet typo.
Sorry about the typo, fixed patch attached. Best regards, Andreas
>From 4bb0687f07713787f83dcd90214ad32b91c0f91f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun <[email protected]> Date: Sat, 28 Feb 2015 23:11:50 +0100 Subject: [PATCH] avformat/rmenc: limit packet size The chunk size is limited to 0xFFFF (written by avio_wb16), so make sure that the packet size is not too large. Signed-off-by: Andreas Cadhalpun <[email protected]> --- libavformat/rmenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rmenc.c b/libavformat/rmenc.c index 838388f..9066f75 100644 --- a/libavformat/rmenc.c +++ b/libavformat/rmenc.c @@ -396,6 +396,10 @@ static int rm_write_video(AVFormatContext *s, const uint8_t *buf, int size, int /* Well, I spent some time finding the meaning of these bits. I am not sure I understood everything, but it works !! */ #if 1 + if (size > 0xFFFF - 7 - 4 - 12) { + av_log(s, AV_LOG_ERROR, "packet size %d too large\n", size); + return AVERROR(EINVAL); + } write_packet_header(s, stream, size + 7 + (size >= 0x4000)*4, key_frame); /* bit 7: '1' if final packet of a frame converted in several packets */ avio_w8(pb, 0x81); -- 2.1.4
_______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
