diff options
| author | Luca Barbato <lu_zero@gentoo.org> | 2016-08-19 18:35:33 +0200 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2016-08-23 18:58:10 +0200 |
| commit | 24130234cd9dd733116d17b724ea4c8e12ce097a (patch) | |
| tree | fa793c6f648ed7fed65400918112ae845b19c02f /libavformat | |
| parent | 46e3936fb04d06550151e667357065e3f646da1a (diff) | |
rtpdec_mpeg4: validate fmtp fields
Diffstat (limited to 'libavformat')
| -rw-r--r-- | libavformat/rtpdec_mpeg4.c | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c index d5fea4f59c..bc50da2a8b 100644 --- a/libavformat/rtpdec_mpeg4.c +++ b/libavformat/rtpdec_mpeg4.c @@ -290,11 +290,22 @@ static int parse_fmtp(AVFormatContext *s, for (i = 0; attr_names[i].str; ++i) { if (!av_strcasecmp(attr, attr_names[i].str)) { if (attr_names[i].type == ATTR_NAME_TYPE_INT) { + int val = atoi(value); + if (val > 32) { + av_log(s, AV_LOG_ERROR, + "The %s field size is invalid (%d).", + attr, val); + return AVERROR_INVALIDDATA; + } *(int *)((char *)data+ - attr_names[i].offset) = atoi(value); - } else if (attr_names[i].type == ATTR_NAME_TYPE_STR) + attr_names[i].offset) = val; + } else if (attr_names[i].type == ATTR_NAME_TYPE_STR) { + char *val = av_strdup(value); + if (!val) + return AVERROR(ENOMEM); *(char **)((char *)data+ - attr_names[i].offset) = av_strdup(value); + attr_names[i].offset) = val; + } } } } |