[FFmpeg-cvslog] avformat/rtpdec_xiph: Check upper bound on len in xiph_handle_packet()

Michael Niedermayer git at videolan.org
Tue Jun 2 00:50:07 CEST 2015


ffmpeg | branch: release/2.4 | Michael Niedermayer <michaelni at gmx.at> | Tue May 12 18:03:55 2015 +0200| [18e83992f20e31d71b0bf87f2deb4e95e3abc333] | committer: Michael Niedermayer

avformat/rtpdec_xiph: Check upper bound on len in xiph_handle_packet()

Larger packets are not supported and would cause problems later

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit aa5169935e160551fb1c290d1397da2f04325817)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=18e83992f20e31d71b0bf87f2deb4e95e3abc333
---

 libavformat/rtpdec_xiph.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/rtpdec_xiph.c b/libavformat/rtpdec_xiph.c
index dc34f9e..da9a1e2 100644
--- a/libavformat/rtpdec_xiph.c
+++ b/libavformat/rtpdec_xiph.c
@@ -112,7 +112,7 @@ static int xiph_handle_packet(AVFormatContext *ctx, PayloadContext *data,
         return data->split_pkts > 0;
     }
 
-    if (len < 6) {
+    if (len < 6 || len > INT_MAX/2) {
         av_log(ctx, AV_LOG_ERROR, "Invalid %d byte packet\n", len);
         return AVERROR_INVALIDDATA;
     }



More information about the ffmpeg-cvslog mailing list