This wasn't an issue prior to 58404738, when the whole RTMP packet
was copied at once and the length of the individual embedded flv
packets only were validated by the flv demuxer.
Prior to this patch, this could lead to reads and writes out of bound.
Signed-off-by: Martin Storsjö <martin@martin.st>
If the embedded flv packets were incomplete and we aborted the
copying loop early, make sure the flv buffer is trimmed to
only contain full packets.
Signed-off-by: Martin Storsjö <martin@martin.st>
update_offset is also called from handle_metadata, where the
packet header sizes is already included in the size.
Previously this lead to flv_data/flv_size including 15 uninitialized
bytes at the end after each call to handle_metadata, making the
flv demuxer lose sync with the stream.
Also remove leftover copying in handle_metadata. This is a leftover
from the refactoring in 5840473. (Previously this final mempcy was
the one that copied all the packets at once, while this is done
within the loop right now.) After making sure flv_size is set to
the right size, this write was out of bounds.
Signed-off-by: Martin Storsjö <martin@martin.st>
This was overlooked in d872fb0f7 since I assumed all the realloc
issues in the rtmp code was fixed already.
Signed-off-by: Martin Storsjö <martin@martin.st>
The current magic numbers passed are values in seconds, while the
parameter itself should be passed over the wire in milliseconds.
This makes (some/all?) live streams from Red5 work correctly, that
previously returned StreamNotFound even with "-rtmp_live live". After
this commit, the default 'any' also works on these streams.
Signed-off-by: Martin Storsjö <martin@martin.st>
On (certain streams/setups at least on) Red5, the description string
actually is present, but empty. Therefore, first try loading the
description, but if not found or empty, load the code string instead.
The code string is quite understandable in most cases anyway (like
"NetStream.Play.StreamNotFound").
Signed-off-by: Martin Storsjö <martin@martin.st>
This makes sure errors in setting stream parameters are passed
on to the caller. This avoids successfully opening files while
some parameters aren't filled in properly.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
Fixes sync in some samples (e.g. bugs 7581 and 8374 in VLC).
Based on a commit by Matthieu Bouron <matthieu.bouron@gmail.com>
Reported-by: Jean-Baptiste Kempf <jb@videolan.org>
CC: libav-stable@libav.org
This fixes reads out of bounds.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
We read 2 bytes for 15 out of 16 pixels, therefore we need to
have at least 30 bytes, not 16.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
Decoded data is always written in pairs within this decoder.
This fixes writes out of bounds.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
Previously, we returned 0, meaning successful decoding but 0
bytes consumed, leading to an infinite loop.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
If the input buffer contains more data after the deflate stream,
the loop previously left running infinitely, with inflate returning
Z_STREAM_END.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
This avoids setting a negative number of frames, ending up with a
negative average frame rate.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
If a zero-length video packet is to be returned, just return
AVERROR(EAGAIN) and switch back to the audio stream.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
This avoids a division by zero for G726.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
This avoids a division by zero.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
In lpc_prediction(), we write up to array element 'lpc_order' in
an array allocated to hold 'max_samples_per_frame' elements.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
Even if the sample rate is valid, an invalid bitrate could
pass the mode combination test below.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
This avoids divisions by zero later (and possibly assertions in
time base scaling), since an invalid rate_flag combined with an
invalid bitrate below could pass the mode combination test.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
When av_reallocp fails, the associated variables that keep track of
the number of elements in the array (and in some cases, the
separate number of allocated elements) need to be reset.
Not all of these might technically be needed, but it's better to
reset them if in doubt, to make sure variables don't end up
conflicting.
Signed-off-by: Martin Storsjö <martin@martin.st>
Martin Storsjö
Diego Biurrun
Vittorio Giovara
Maxim Poliakovski
Anton Khirnov
Luca Barbato
Paul B Mahol
Carl Eugen Hoyos
Reimar Döffinger