Hi,
the chunk size in rm files is stored in 16 bits, but the packet size can be
larger, triggering an av_assert2 in avio_w8 (via avio_wb16).
Best regards,
Andreas
>From 044b4bd4df935b918055c24ae661e9bcc31e425a Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Sat, 28 Feb 2015 23:11:50 +0100
Subject: [PATCH] avformat/rmenc: limit packet size
The chunk size is limited to 0xFFFF (written by avio_wb16), so make
sure that the packet size is not too large.
Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
libavformat/rmenc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavformat/rmenc.c b/libavformat/rmenc.c
index 838388f..1567834 100644
--- a/libavformat/rmenc.c
+++ b/libavformat/rmenc.c
@@ -396,6 +396,10 @@ static int rm_write_video(AVFormatContext *s, const uint8_t *buf, int size, int
/* Well, I spent some time finding the meaning of these bits. I am
not sure I understood everything, but it works !! */
#if 1
+ if (size > 0xFFFF - 7 - 4 - 12) {
+ av_log(s, AV_LOG_ERROR, "paket size %d too large\n", size);
+ return AVERROR(EINVAL);
+ }
write_packet_header(s, stream, size + 7 + (size >= 0x4000)*4, key_frame);
/* bit 7: '1' if final packet of a frame converted in several packets */
avio_w8(pb, 0x81);
--
2.1.4
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
