[FFmpeg-devel] [PATCH] Add a RTP depacketizer for the X-Qt format

Martin Storsjö martin
Wed Oct 6 09:56:05 CEST 2010


On Tue, 5 Oct 2010, Ronald S. Bultje wrote:

> On Tue, Oct 5, 2010 at 6:07 PM, Martin Storsj? <martin at martin.st> wrote:
> >
> > Good catch. Checking if (alen <= 0) as the other switch case already does.
> [..]
> > +        data_len = get_bits(&gb, 16);
> > +
> > +        url_fseek(&pb, pos + 4, SEEK_SET);
> > +        tag = get_le32(&pb);
> > +        if ((st->codec->codec_type == CODEC_TYPE_VIDEO &&
> > +                 tag != MKTAG('v','i','d','e')) ||
> > +            (st->codec->codec_type == CODEC_TYPE_AUDIO &&
> > +                 tag != MKTAG('s','o','u','n')))
> > +            return AVERROR_INVALIDDATA;
> > +        av_set_pts_info(st, 32, 1, get_be32(&pb));
> > +
> > +        /* TLVs */
> > +        while (url_ftell(&pb) < pos + data_len) {
> 
> I wonder what happens if data_len is a random value (e.g. 0xFFFF) that
> is much bigger than the actual buffer size. It should probably be
> checked also to not exceed the input buffer size (len).

Added boundary checks for this, and checking that the amount of data to 
read in each block actually is available, and checking that the amount of 
data left for the payload actually is positive.

// Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-RTP-depacketization-of-the-X-QT-QuickTime-format.patch
Type: text/x-diff
Size: 13765 bytes
Desc: 
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20101006/6c7e7f67/attachment.patch>



More information about the ffmpeg-devel mailing list