rtmppkt: Check for packet size mismatches
authorMichael Niedermayer <michael@niedermayer.cc>
Mon, 5 Dec 2016 10:14:51 +0000 (11:14 +0100)
committerMartin Storsjö <martin@martin.st>
Thu, 15 Dec 2016 13:45:59 +0000 (15:45 +0200)
commita4fec9a7eab842ea5eea1b1ee98624356cb31422
tree86ebc265fa54d54887e475a0cb1799a1340991b5
parentcdcfa97dc49d83b5eefd0a651db6bb0a6f98e8f2
rtmppkt: Check for packet size mismatches

When receiving fragmented packets, the first packet declares the size,
and the later ones normally are small follow-on packets that don't repeat
the size and the other header fields. But technically, the later fragments
also can have a full header, declaring a different size than the previous
packet.

If the follow-on packet declares a larger size than the initial one, we
could end up writing outside of the allocation.

This fixes out of bounds writes.

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
libavformat/rtmppkt.c