rtpdec_mpeg4: validate fmtp fields
authorLuca Barbato <lu_zero@gentoo.org>
Fri, 19 Aug 2016 16:35:33 +0000 (18:35 +0200)
committerLuca Barbato <lu_zero@gentoo.org>
Tue, 23 Aug 2016 16:58:10 +0000 (18:58 +0200)
libavformat/rtpdec_mpeg4.c

index d5fea4f..bc50da2 100644 (file)
@@ -290,11 +290,22 @@ static int parse_fmtp(AVFormatContext *s,
         for (i = 0; attr_names[i].str; ++i) {
             if (!av_strcasecmp(attr, attr_names[i].str)) {
                 if (attr_names[i].type == ATTR_NAME_TYPE_INT) {
         for (i = 0; attr_names[i].str; ++i) {
             if (!av_strcasecmp(attr, attr_names[i].str)) {
                 if (attr_names[i].type == ATTR_NAME_TYPE_INT) {
+                    int val = atoi(value);
+                    if (val > 32) {
+                        av_log(s, AV_LOG_ERROR,
+                               "The %s field size is invalid (%d).",
+                               attr, val);
+                        return AVERROR_INVALIDDATA;
+                    }
                     *(int *)((char *)data+
                     *(int *)((char *)data+
-                        attr_names[i].offset) = atoi(value);
-                } else if (attr_names[i].type == ATTR_NAME_TYPE_STR)
+                        attr_names[i].offset) = val;
+                } else if (attr_names[i].type == ATTR_NAME_TYPE_STR) {
+                    char *val = av_strdup(value);
+                    if (!val)
+                        return AVERROR(ENOMEM);
                     *(char **)((char *)data+
                     *(char **)((char *)data+
-                        attr_names[i].offset) = av_strdup(value);
+                        attr_names[i].offset) = val;
+                }
             }
         }
     }
             }
         }
     }