[FFmpeg-cvslog] Merge commit '24130234cd9dd733116d17b724ea4c8e12ce097a'

[Clément Bœsch]

ffmpeg | branch: master | Clément Bœsch <u at pkh.me> | Sun Mar 19 18:22:53 2017 +0100| [f4a39ceea0d25a21c9c6e0cc64a0825fd5d84c5b] | committer: Clément Bœsch

Merge commit '24130234cd9dd733116d17b724ea4c8e12ce097a'

* commit '24130234cd9dd733116d17b724ea4c8e12ce097a':
  rtpdec_mpeg4: validate fmtp fields

Merged with fixed log message.

Merged-by: Clément Bœsch <u at pkh.me>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f4a39ceea0d25a21c9c6e0cc64a0825fd5d84c5b
---

 libavformat/rtpdec_mpeg4.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c
index 068d378..994ab49 100644
--- a/libavformat/rtpdec_mpeg4.c
+++ b/libavformat/rtpdec_mpeg4.c
@@ -289,11 +289,22 @@ static int parse_fmtp(AVFormatContext *s,
         for (i = 0; attr_names[i].str; ++i) {
             if (!av_strcasecmp(attr, attr_names[i].str)) {
                 if (attr_names[i].type == ATTR_NAME_TYPE_INT) {
+                    int val = atoi(value);
+                    if (val > 32) {
+                        av_log(s, AV_LOG_ERROR,
+                               "The %s field size is invalid (%d)\n",
+                               attr, val);
+                        return AVERROR_INVALIDDATA;
+                    }
                     *(int *)((char *)data+
-                        attr_names[i].offset) = atoi(value);
-                } else if (attr_names[i].type == ATTR_NAME_TYPE_STR)
+                        attr_names[i].offset) = val;
+                } else if (attr_names[i].type == ATTR_NAME_TYPE_STR) {
+                    char *val = av_strdup(value);
+                    if (!val)
+                        return AVERROR(ENOMEM);
                     *(char **)((char *)data+
-                        attr_names[i].offset) = av_strdup(value);
+                        attr_names[i].offset) = val;
+                }
             }
         }
     }


======================================================================

diff --cc libavformat/rtpdec_mpeg4.c
index 068d378,bc50da2..994ab49
--- a/libavformat/rtpdec_mpeg4.c
+++ b/libavformat/rtpdec_mpeg4.c
@@@ -289,11 -290,22 +289,22 @@@ static int parse_fmtp(AVFormatContext *
          for (i = 0; attr_names[i].str; ++i) {
              if (!av_strcasecmp(attr, attr_names[i].str)) {
                  if (attr_names[i].type == ATTR_NAME_TYPE_INT) {
+                     int val = atoi(value);
+                     if (val > 32) {
+                         av_log(s, AV_LOG_ERROR,
 -                               "The %s field size is invalid (%d).",
++                               "The %s field size is invalid (%d)\n",
+                                attr, val);
+                         return AVERROR_INVALIDDATA;
+                     }
                      *(int *)((char *)data+
-                         attr_names[i].offset) = atoi(value);
-                 } else if (attr_names[i].type == ATTR_NAME_TYPE_STR)
+                         attr_names[i].offset) = val;
+                 } else if (attr_names[i].type == ATTR_NAME_TYPE_STR) {
+                     char *val = av_strdup(value);
+                     if (!val)
+                         return AVERROR(ENOMEM);
                      *(char **)((char *)data+
-                         attr_names[i].offset) = av_strdup(value);
+                         attr_names[i].offset) = val;
+                 }
              }
          }
      }