From a7ba3244131d96d9ab7a99ef30dc7276efd05cc7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <martin@martin.st>
Date: Tue, 15 Jan 2013 15:35:18 +0200
Subject: [PATCH] rtpdec_mpeg4: Check the remaining amount of data before
 reading
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This fixes possible buffer overreads.

Signed-off-by: Martin Storsjö <martin@martin.st>
---
 libavformat/rtpdec_mpeg4.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c
index 3cac29f8a32..13601a732d8 100644
--- a/libavformat/rtpdec_mpeg4.c
+++ b/libavformat/rtpdec_mpeg4.c
@@ -109,11 +109,14 @@ static int parse_fmtp_config(AVCodecContext *codec, char *value)
     return 0;
 }
 
-static int rtp_parse_mp4_au(PayloadContext *data, const uint8_t *buf)
+static int rtp_parse_mp4_au(PayloadContext *data, const uint8_t *buf, int len)
 {
     int au_headers_length, au_header_size, i;
     GetBitContext getbitcontext;
 
+    if (len < 2)
+        return AVERROR_INVALIDDATA;
+
     /* decode the first 2 bytes where the AUHeader sections are stored
        length in bits */
     au_headers_length = AV_RB16(buf);
@@ -125,6 +128,10 @@ static int rtp_parse_mp4_au(PayloadContext *data, const uint8_t *buf)
 
     /* skip AU headers length section (2 bytes) */
     buf += 2;
+    len -= 2;
+
+    if (len < data->au_headers_length_bytes)
+        return AVERROR_INVALIDDATA;
 
     init_get_bits(&getbitcontext, buf, data->au_headers_length_bytes * 8);
 
@@ -165,7 +172,7 @@ static int aac_parse_packet(AVFormatContext *ctx, PayloadContext *data,
                             int flags)
 {
     int ret;
-    if (rtp_parse_mp4_au(data, buf))
+    if (rtp_parse_mp4_au(data, buf, len))
         return -1;
 
     buf += data->au_headers_length_bytes + 2;
@@ -173,6 +180,8 @@ static int aac_parse_packet(AVFormatContext *ctx, PayloadContext *data,
 
     /* XXX: Fixme we only handle the case where rtp_parse_mp4_au define
                     one au_header */
+    if (len < data->au_headers[0].size)
+        return AVERROR_INVALIDDATA;
     if ((ret = av_new_packet(pkt, data->au_headers[0].size)) < 0)
         return ret;
     memcpy(pkt->data, buf, data->au_headers[0].size);
-- 
GitLab