id	summary	reporter	owner	description	type	status	priority	component	version	resolution	keywords	cc	blockedby	blocking	reproduced	analyzed
1274	"Segmentation fault in ""rtpdec_h264.c"""	Belevern		"I'm using IP-Camera Beward B2.920F and when i'm using ffmpeg's rtsp there is segmentation fault on this:
memcpy(pkt->data+sizeof(start_sequence)+sizeof(nal), buf, len);
Same in Windows and Linux.
It happens because this model of camera sometimes sends packet with lenght of usefull data 0-2 bytes (In h264_handle_packet len = 0 or 1 or 2 ). I fixed this by adding this:

// return 0 on packet, no more left, 1 on packet, 1 on partial packet...
static int h264_handle_packet(AVFormatContext *ctx,
                              PayloadContext *data,
                              AVStream *st,
                              AVPacket * pkt,
                              uint32_t * timestamp,
                              const uint8_t * buf,
                              int len, int flags)
{
    if(!len){
        av_log(ctx, AV_LOG_ERROR,""Beward fix (buffer is too short in packet)\n"");
        return 0;
    }



And this:


    case 28:                   // FU-A (fragmented nal)
        buf++;
        len--;                  // skip the fu_indicator
        if(len>1){
            // these are the same as above, we just redo them here for clarity...
            uint8_t fu_indicator = nal;
            uint8_t fu_header = *buf;   // read the fu_header.
            uint8_t start_bit = fu_header >> 7;
//            uint8_t end_bit = (fu_header & 0x40) >> 6;
            uint8_t nal_type = (fu_header & 0x1f);
            uint8_t reconstructed_nal;

            // reconstruct this packet's true nal; only the data follows..
            reconstructed_nal = fu_indicator & (0xe0);  // the original nal forbidden bit and NRI are stored in this packet's nal;
            reconstructed_nal |= nal_type;

            // skip the fu_header...
            buf++;
            len--;

#ifdef DEBUG
            if (start_bit)
                data->packet_types_received[nal_type]++;
#endif
            if(start_bit) {
                // copy in the start sequence, and the reconstructed nal....
                //av_log(ctx, AV_LOG_ERROR,""%08X %08X %08X %08X\n"",pkt,pkt->data,buf,len);
                av_new_packet(pkt, sizeof(start_sequence)+sizeof(nal)+len);
                memcpy(pkt->data, start_sequence, sizeof(start_sequence));
                pkt->data[sizeof(start_sequence)]= reconstructed_nal;
                memcpy(pkt->data+sizeof(start_sequence)+sizeof(nal), buf, len);
            } else {
                av_new_packet(pkt, len);
                memcpy(pkt->data, buf, len);
            }
        }else{
            av_log(ctx, AV_LOG_ERROR,""Beward fix (buffer is too short in packet)\n"");
        }
        break;


Please, fix it because i can't upload it to git and compile under windows. (I'm using automated builds by Zeranoe)."	defect	closed	normal	undetermined	git-master	fixed					0	0