[FFmpeg-devel] [PATCH] Fix to crash in ff_rtsp_read_reply

Michael Lynch mtlynch at google.com
Tue Oct 14 22:30:39 CEST 2014

This patch fixes a crash in ff_rtsp_read_reply that can occur when the
Content Length field of the RTSP reply message is very high (e.g. near
INT_MAX) and causes av_malloc to return NULL.


commit 1e085fa751168813912f13f89b754e5711b13daa
Author: Michael Lynch <mtlynch at google.com>
Date:   Tue Oct 14 14:19:40 2014 -0400

    Fixing crash in ff_rtsp_read_reply caused by failure to check the
result of memory allocation.

diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c
index 523a7c0..77f03ba 100644
--- a/libavformat/rtsp.c
+++ b/libavformat/rtsp.c
@@ -1150,6 +1150,8 @@ start:
     if (content_length > 0) {
         /* leave some room for a trailing '\0' (useful for simple parsing)
         content = av_malloc(content_length + 1);
+        if (!content)
+            return AVERROR(ENOMEM);
         ffurl_read_complete(rt->rtsp_hd, content, content_length);
         content[content_length] = '\0';

More information about the ffmpeg-devel mailing list