[FFmpeg-cvslog] rtpdec_mpeg4: validate fmtp fields
Luca Barbato
git at videolan.org
Sun Mar 19 19:25:10 EET 2017
ffmpeg | branch: master | Luca Barbato <lu_zero at gentoo.org> | Fri Aug 19 18:35:33 2016 +0200| [24130234cd9dd733116d17b724ea4c8e12ce097a] | committer: Luca Barbato
rtpdec_mpeg4: validate fmtp fields
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=24130234cd9dd733116d17b724ea4c8e12ce097a
---
libavformat/rtpdec_mpeg4.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c
index d5fea4f..bc50da2 100644
--- a/libavformat/rtpdec_mpeg4.c
+++ b/libavformat/rtpdec_mpeg4.c
@@ -290,11 +290,22 @@ static int parse_fmtp(AVFormatContext *s,
for (i = 0; attr_names[i].str; ++i) {
if (!av_strcasecmp(attr, attr_names[i].str)) {
if (attr_names[i].type == ATTR_NAME_TYPE_INT) {
+ int val = atoi(value);
+ if (val > 32) {
+ av_log(s, AV_LOG_ERROR,
+ "The %s field size is invalid (%d).",
+ attr, val);
+ return AVERROR_INVALIDDATA;
+ }
*(int *)((char *)data+
- attr_names[i].offset) = atoi(value);
- } else if (attr_names[i].type == ATTR_NAME_TYPE_STR)
+ attr_names[i].offset) = val;
+ } else if (attr_names[i].type == ATTR_NAME_TYPE_STR) {
+ char *val = av_strdup(value);
+ if (!val)
+ return AVERROR(ENOMEM);
*(char **)((char *)data+
- attr_names[i].offset) = av_strdup(value);
+ attr_names[i].offset) = val;
+ }
}
}
}
More information about the ffmpeg-cvslog
mailing list