On Thu, 15 Dec 2016, Luca Barbato wrote:
On 15/12/2016 09:12, Martin Storsjö wrote:
From: Michael Niedermayer <[email protected]>
Fixes out of array access.
Found-by: Paul Cher <[email protected]>
Reviewed-by: Paul Cher <[email protected]>
CC: [email protected]
---
libavformat/rtmppkt.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c
index f8c51d0..373c3ea 100644
--- a/libavformat/rtmppkt.c
+++ b/libavformat/rtmppkt.c
@@ -235,6 +235,13 @@ static int rtmp_packet_read_one_chunk(URLContext *h,
RTMPPacket *p,
if (hdr != RTMP_PS_TWELVEBYTES)
timestamp += prev_pkt[channel_id].timestamp;
+ if (prev_pkt[channel_id].read && size != prev_pkt[channel_id].size) {
+ av_log(h, AV_LOG_ERROR, "RTMP packet size mismatch %d != %d\n",
+ size, prev_pkt[channel_id].size);
+ ff_rtmp_packet_destroy(&prev_pkt[channel_id]);
+ prev_pkt[channel_id].read = 0;
+ }
+
if (!prev_pkt[channel_id].read) {
if ((ret = ff_rtmp_packet_create(p, channel_id, type, timestamp,
size)) < 0)
Why it happens?
When you have fragmented packets, the first packet declares the size and
the later ones (normally) are small follow-on packets that don't repeat
the size and all that. But technically the later fragments also can have a
full header, declaring a different size than the previous packet. In those
cases we didn't use to check that the partial packet that was allocated
earlier actually matches the size in the current packet.
If it is ok not to forward an error the log message could be demoted to
verbose.
I guess we can and should return an error here directly as well.
// Martin
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
