[FFmpeg-cvslog] Correct buffer handling for RTCP packets

John Brooks git at videolan.org
Thu Oct 13 03:45:34 CEST 2011 

ffmpeg | branch: master | John Brooks <john.brooks at bluecherry.net> | Wed Oct 12 00:53:12 2011 -0600| [c1847c932b1576e8224c38e112a5fd29fa8a6098] | committer: Michael Niedermayer

Correct buffer handling for RTCP packets

Previous code could read 4 bytes past the end of the buffer on a RTCP_SR
packet or offset a pointer by an unchecked external value (payload_len),
though neither will reliably cause a crash or other misbehavior beyond
garbage timestamps.

Additionally, unknown RTCP packet types, even in compounded packets, are
now ignored as per RFC 3550 section 6.1, page 22, though currently this
only has any practical effect if a sender puts an unrecognized type
before RTCP_BYE in a compounded packet, or (incorrectly) does not put
RTCP_SR first.

Signed-off-by: John Brooks <john.brooks at bluecherry.net>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c1847c932b1576e8224c38e112a5fd29fa8a6098
---

 libavformat/rtpdec.c |   14 +++++++-------
 1 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/libavformat/rtpdec.c b/libavformat/rtpdec.c
index f9252a9..002222f 100644
--- a/libavformat/rtpdec.c
+++ b/libavformat/rtpdec.c
@@ -112,14 +112,15 @@ RTPDynamicProtocolHandler *ff_rtp_handler_find_by_id(int id,
 static int rtcp_parse_packet(RTPDemuxContext *s, const unsigned char *buf, int len)
 {
     int payload_len;
-    while (len >= 2) {
+    while (len >= 4) {
+        payload_len = FFMIN(len, (AV_RB16(buf + 2) + 1) * 4);
+
         switch (buf[1]) {
         case RTCP_SR:
-            if (len < 16) {
+            if (payload_len < 20) {
                 av_log(NULL, AV_LOG_ERROR, "Invalid length for RTCP SR packet\n");
                 return AVERROR_INVALIDDATA;
             }
-            payload_len = (AV_RB16(buf + 2) + 1) * 4;
 
             s->last_rtcp_ntp_time = AV_RB64(buf + 8);
             s->last_rtcp_timestamp = AV_RB32(buf + 16);
@@ -130,14 +131,13 @@ static int rtcp_parse_packet(RTPDemuxContext *s, const unsigned char *buf, int l
                 s->rtcp_ts_offset = s->last_rtcp_timestamp - s->base_timestamp;
             }
 
-            buf += payload_len;
-            len -= payload_len;
             break;
         case RTCP_BYE:
             return -RTCP_BYE;
-        default:
-            return -1;
         }
+
+        buf += payload_len;
+        len -= payload_len;
     }
     return -1;
 }

More information about the ffmpeg-cvslog mailing list