From a76bc3bc44e3bcd6a0923e65cd669e71e9819388 Mon Sep 17 00:00:00 2001 From: Martin Storsjö Date: Sun, 20 Jan 2013 18:31:57 +0200 Subject: rtpdec: Check the return value from av_new_packet MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö --- libavformat/rtpdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'libavformat/rtpdec.c') diff --git a/libavformat/rtpdec.c b/libavformat/rtpdec.c index 4379e6f4f1..a8188878eb 100644 --- a/libavformat/rtpdec.c +++ b/libavformat/rtpdec.c @@ -635,7 +635,8 @@ static int rtp_parse_packet_internal(RTPDemuxContext *s, AVPacket *pkt, } else if (st) { /* At this point, the RTP header has been stripped; * This is ASSUMING that there is only 1 CSRC, which isn't wise. */ - av_new_packet(pkt, len); + if ((rv = av_new_packet(pkt, len)) < 0) + return rv; memcpy(pkt->data, buf, len); pkt->stream_index = st->index; } else { -- cgit v1.2.3 From f53490cc0c809975f8238d5a9edbd26f83bd2f84 Mon Sep 17 00:00:00 2001 From: Martin Storsjö Date: Sun, 20 Jan 2013 19:00:18 +0200 Subject: rtpdec/srtp: Handle CSRC fields being present MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is untested in practice, but follows the spec. Signed-off-by: Martin Storsjö --- libavformat/rtpdec.c | 10 +++++++--- libavformat/srtp.c | 15 ++++++++++++++- 2 files changed, 21 insertions(+), 4 deletions(-) (limited to 'libavformat/rtpdec.c') diff --git a/libavformat/rtpdec.c b/libavformat/rtpdec.c index a8188878eb..145d7c82e9 100644 --- a/libavformat/rtpdec.c +++ b/libavformat/rtpdec.c @@ -575,11 +575,12 @@ static int rtp_parse_packet_internal(RTPDemuxContext *s, AVPacket *pkt, { unsigned int ssrc; int payload_type, seq, flags = 0; - int ext; + int ext, csrc; AVStream *st; uint32_t timestamp; int rv = 0; + csrc = buf[0] & 0x0f; ext = buf[0] & 0x10; payload_type = buf[1] & 0x7f; if (buf[1] & 0x80) @@ -613,6 +614,11 @@ static int rtp_parse_packet_internal(RTPDemuxContext *s, AVPacket *pkt, len -= 12; buf += 12; + len -= 4 * csrc; + buf += 4 * csrc; + if (len < 0) + return AVERROR_INVALIDDATA; + /* RFC 3550 Section 5.3.1 RTP Header Extension handling */ if (ext) { if (len < 4) @@ -633,8 +639,6 @@ static int rtp_parse_packet_internal(RTPDemuxContext *s, AVPacket *pkt, s->st, pkt, ×tamp, buf, len, seq, flags); } else if (st) { - /* At this point, the RTP header has been stripped; - * This is ASSUMING that there is only 1 CSRC, which isn't wise. */ if ((rv = av_new_packet(pkt, len)) < 0) return rv; memcpy(pkt->data, buf, len); diff --git a/libavformat/srtp.c b/libavformat/srtp.c index ebc5c98fd7..21dafc2c4c 100644 --- a/libavformat/srtp.c +++ b/libavformat/srtp.c @@ -190,16 +190,23 @@ int ff_srtp_decrypt(struct SRTPContext *s, uint8_t *buf, int *lenptr) if (!(srtcp_index & 0x80000000)) return 0; } else { + int csrc; s->seq_initialized = 1; s->seq_largest = seq_largest; s->roc = roc; + csrc = buf[0] & 0x0f; ext = buf[0] & 0x10; ssrc = AV_RB32(buf + 8); buf += 12; len -= 12; + buf += 4 * csrc; + len -= 4 * csrc; + if (len < 0) + return AVERROR_INVALIDDATA; + if (ext) { if (len < 4) return AVERROR_INVALIDDATA; @@ -244,7 +251,7 @@ int ff_srtp_encrypt(struct SRTPContext *s, const uint8_t *in, int len, buf += 8; len -= 8; } else { - int ext; + int ext, csrc; int seq = AV_RB16(buf + 2); ssrc = AV_RB32(buf + 8); @@ -253,11 +260,17 @@ int ff_srtp_encrypt(struct SRTPContext *s, const uint8_t *in, int len, s->seq_largest = seq; index = seq + (((uint64_t)s->roc) << 16); + csrc = buf[0] & 0x0f; ext = buf[0] & 0x10; buf += 12; len -= 12; + buf += 4 * csrc; + len -= 4 * csrc; + if (len < 0) + return AVERROR_INVALIDDATA; + if (ext) { if (len < 4) return AVERROR_INVALIDDATA; -- cgit v1.2.3