[FFmpeg-trac] #1274(undetermined:new): Segmentation fault in "rtpdec_h264.c"

FFmpeg trac at avcodec.org
Fri May 4 17:57:26 CEST 2012 

#1274: Segmentation fault in "rtpdec_h264.c"
-------------------------------------+-------------------------------------
             Reporter:  Belevern     |                     Type:  defect
               Status:  new          |                 Priority:  normal
            Component:               |                  Version:  git-
  undetermined                       |  master
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 I'm using IP-Camera Beward B2.920F and when i'm using ffmpeg's rtsp there
 is segmentation fault on this:
 memcpy(pkt->data+sizeof(start_sequence)+sizeof(nal), buf, len);
 Same in Windows and Linux.
 It happens because this model of camera sometimes sends packet with lenght
 of usefull data 0-2 bytes (In h264_handle_packet len = 0 or 1 or 2 ). I
 fixed this by adding this:

 // return 0 on packet, no more left, 1 on packet, 1 on partial packet...
 static int h264_handle_packet(AVFormatContext *ctx,
                               PayloadContext *data,
                               AVStream *st,
                               AVPacket * pkt,
                               uint32_t * timestamp,
                               const uint8_t * buf,
                               int len, int flags)
 {
     if(!len){
         av_log(ctx, AV_LOG_ERROR,"Beward fix (buffer is too short in
 packet)\n");
         return 0;
     }



 And this:


     case 28:                   // FU-A (fragmented nal)
         buf++;
         len--;                  // skip the fu_indicator
         if(len>1){
             // these are the same as above, we just redo them here for
 clarity...
             uint8_t fu_indicator = nal;
             uint8_t fu_header = *buf;   // read the fu_header.
             uint8_t start_bit = fu_header >> 7;
 //            uint8_t end_bit = (fu_header & 0x40) >> 6;
             uint8_t nal_type = (fu_header & 0x1f);
             uint8_t reconstructed_nal;

             // reconstruct this packet's true nal; only the data follows..
             reconstructed_nal = fu_indicator & (0xe0);  // the original
 nal forbidden bit and NRI are stored in this packet's nal;
             reconstructed_nal |= nal_type;

             // skip the fu_header...
             buf++;
             len--;

 #ifdef DEBUG
             if (start_bit)
                 data->packet_types_received[nal_type]++;
 #endif
             if(start_bit) {
                 // copy in the start sequence, and the reconstructed
 nal....
                 //av_log(ctx, AV_LOG_ERROR,"%08X %08X %08X
 %08X\n",pkt,pkt->data,buf,len);
                 av_new_packet(pkt,
 sizeof(start_sequence)+sizeof(nal)+len);
                 memcpy(pkt->data, start_sequence, sizeof(start_sequence));
                 pkt->data[sizeof(start_sequence)]= reconstructed_nal;
                 memcpy(pkt->data+sizeof(start_sequence)+sizeof(nal), buf,
 len);
             } else {
                 av_new_packet(pkt, len);
                 memcpy(pkt->data, buf, len);
             }
         }else{
             av_log(ctx, AV_LOG_ERROR,"Beward fix (buffer is too short in
 packet)\n");
         }
         break;


 Please, fix it because i can't upload it to git and compile under windows.
 (I'm using automated builds by Zeranoe).

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1274>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list