From 34056cbba55f0131e8d2698717ab9e86e2da5178 Mon Sep 17 00:00:00 2001 From: Martin Storsjö Date: Thu, 11 Mar 2010 16:26:14 +0000 Subject: Fix a crash in the H.263 RTP packetizer If size == 1 and buf[0] == 0 and buf[1] == 0 (the first byte after the buffer), it would set size = -1 and crash in the later memcpy. Originally committed as revision 22469 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavformat/rtpenc_h263.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'libavformat/rtpenc_h263.c') diff --git a/libavformat/rtpenc_h263.c b/libavformat/rtpenc_h263.c index 0ea492106b..84403a1069 100644 --- a/libavformat/rtpenc_h263.c +++ b/libavformat/rtpenc_h263.c @@ -50,7 +50,7 @@ void ff_rtp_send_h263(AVFormatContext *s1, const uint8_t *buf1, int size) while (size > 0) { q = s->buf; - if ((buf1[0] == 0) && (buf1[1] == 0)) { + if (size >= 2 && (buf1[0] == 0) && (buf1[1] == 0)) { *q++ = 0x04; buf1 += 2; size -= 2; -- cgit v1.2.3