[FFmpeg-devel] [PATCH] Add a RTP depacketizer for the X-Qt format
Ronald S. Bultje
rsbultje
Wed Oct 6 14:34:09 CEST 2010
Hi Martin,
On Wed, Oct 6, 2010 at 3:56 AM, Martin Storsj? <martin at martin.st> wrote:
> On Tue, 5 Oct 2010, Ronald S. Bultje wrote:
>> On Tue, Oct 5, 2010 at 6:07 PM, Martin Storsj? <martin at martin.st> wrote:
>> > Good catch. Checking if (alen <= 0) as the other switch case already does.
>> [..]
>> > + ? ? ? ?data_len = get_bits(&gb, 16);
>> > +
>> > + ? ? ? ?url_fseek(&pb, pos + 4, SEEK_SET);
>> > + ? ? ? ?tag = get_le32(&pb);
>> > + ? ? ? ?if ((st->codec->codec_type == CODEC_TYPE_VIDEO &&
>> > + ? ? ? ? ? ? ? ? tag != MKTAG('v','i','d','e')) ||
>> > + ? ? ? ? ? ?(st->codec->codec_type == CODEC_TYPE_AUDIO &&
>> > + ? ? ? ? ? ? ? ? tag != MKTAG('s','o','u','n')))
>> > + ? ? ? ? ? ?return AVERROR_INVALIDDATA;
>> > + ? ? ? ?av_set_pts_info(st, 32, 1, get_be32(&pb));
>> > +
>> > + ? ? ? ?/* TLVs */
>> > + ? ? ? ?while (url_ftell(&pb) < pos + data_len) {
>>
>> I wonder what happens if data_len is a random value (e.g. 0xFFFF) that
>> is much bigger than the actual buffer size. It should probably be
>> checked also to not exceed the input buffer size (len).
>
> Added boundary checks for this, and checking that the amount of data to
> read in each block actually is available, and checking that the amount of
> data left for the payload actually is positive.
I think this looks good. Feel free to apply.
Thanks!
Ronald
More information about the ffmpeg-devel
mailing list