On Fri, 13 Jan 2017, Anton Khirnov wrote:

Quoting Diego Biurrun (2017-01-11 18:10:08)
From: Alexandra Hájková <alexan...@khirnov.net>

---
 libavformat/rtpdec_h261.c         | 19 ++++++++++---------
 libavformat/rtpdec_h263_rfc2190.c | 19 ++++++++++---------
 libavformat/rtpdec_latm.c         | 24 +++++++++++++-----------
 libavformat/rtpdec_mpeg4.c        | 16 +++++++++-------
 libavformat/rtpdec_qt.c           | 31 ++++++++++++++++---------------
 libavformat/rtpenc_h263_rfc2190.c | 29 +++++++++++++++--------------
 6 files changed, 73 insertions(+), 65 deletions(-)

diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c
index 00a732b..b3cd6c9 100644
--- a/libavformat/rtpdec_mpeg4.c
+++ b/libavformat/rtpdec_mpeg4.c
@@ -27,11 +27,13 @@
  * @author Romain Degez
  */

-#include "rtpdec_formats.h"
-#include "internal.h"
 #include "libavutil/attributes.h"
 #include "libavutil/avstring.h"
-#include "libavcodec/get_bits.h"
+
+#include "libavcodec/bitstream.h"
+
+#include "rtpdec_formats.h"
+#include "internal.h"

 #define MAX_AAC_HBR_FRAME_SIZE 8191

@@ -113,7 +115,7 @@ static int parse_fmtp_config(AVCodecParameters *par, const 
char *value)
 static int rtp_parse_mp4_au(PayloadContext *data, const uint8_t *buf, int len)
 {
     int au_headers_length, au_header_size, i;
-    GetBitContext getbitcontext;
+    BitstreamContext bctx;

     if (len < 2)
         return AVERROR_INVALIDDATA;
@@ -134,7 +136,7 @@ static int rtp_parse_mp4_au(PayloadContext *data, const 
uint8_t *buf, int len)
     if (len < data->au_headers_length_bytes)
         return AVERROR_INVALIDDATA;

-    init_get_bits(&getbitcontext, buf, data->au_headers_length_bytes * 8);
+    bitstream_init(&bctx, buf, data->au_headers_length_bytes * 8);

     /* XXX: Wrong if optional additional sections are present (cts, dts 
etc...) */
     au_header_size = data->sizelength + data->indexlength;
@@ -151,8 +153,8 @@ static int rtp_parse_mp4_au(PayloadContext *data, const 
uint8_t *buf, int len)
     }

     for (i = 0; i < data->nb_au_headers; ++i) {
-        data->au_headers[i].size  = get_bits_long(&getbitcontext, 
data->sizelength);
-        data->au_headers[i].index = get_bits_long(&getbitcontext, 
data->indexlength);
+        data->au_headers[i].size  = bitstream_read(&bctx, data->sizelength);
+        data->au_headers[i].index = bitstream_read(&bctx, data->indexlength);

Not really a problem introduced by this patch, but those two fields
don't seem to be bound-checked anywhere.

The values are parsed in parse_fmtp (with an AVOption like mechanism), where they are limited to a maximum of 32.

// Martin
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to