phunkyfish: > --- > libavformat/rtsp.c | 49 ++++++++++++++++++++++++++++++++++++++-------- > 1 file changed, 41 insertions(+), 8 deletions(-) > > diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c > index cd6fc32a29..d23ec5723e 100644 > --- a/libavformat/rtsp.c > +++ b/libavformat/rtsp.c > @@ -2447,8 +2447,8 @@ static int rtp_probe(const AVProbeData *p) > static int rtp_read_header(AVFormatContext *s) > { > uint8_t recvbuf[RTP_MAX_PACKET_LENGTH]; > - char host[500], sdp[500]; > - int ret, port; > + char host[500], sdp[1000], filters_buf[1000]; > + int ret, port, sdp_length, nc; > URLContext* in = NULL; > int payload_type; > AVCodecParameters *par = NULL; > @@ -2456,6 +2456,7 @@ static int rtp_read_header(AVFormatContext *s) > AVIOContext pb; > socklen_t addrlen = sizeof(addr); > RTSPState *rt = s->priv_data; > + const char *p; > > if (!ff_network_init()) > return AVERROR(EIO); > @@ -2513,12 +2514,41 @@ static int rtp_read_header(AVFormatContext *s) > av_url_split(NULL, 0, NULL, 0, host, sizeof(host), &port, > NULL, 0, s->url); > > - snprintf(sdp, sizeof(sdp), > - "v=0\r\nc=IN IP%d %s\r\nm=%s %d RTP/AVP %d\r\n", > - addr.ss_family == AF_INET ? 4 : 6, host, > - par->codec_type == AVMEDIA_TYPE_DATA ? "application" : > - par->codec_type == AVMEDIA_TYPE_VIDEO ? "video" : "audio", > - port, payload_type); > + sdp_length = snprintf(sdp + sdp_length, sizeof(sdp) - sdp_length, > + "v=0\r\nc=IN IP%d %s\r\n", > + addr.ss_family == AF_INET ? 4 : 6, host); > +
sdp_length is used uninitialized here it is used uninitialized in the version that was merged as b71685865fe761925feedda3cd0b288224d9a509. The newer versions [2], [3] don't exhibit this flaw. [3] and [1] also have a flaw in common that [2] and this one are lacking: The semicolon of the definition of const char *p is missing. Finally, neither of these versions here seems to have been based upon git master which contains a call to av_log() directly after the above snprintf. - Andreas [1]: https://ffmpeg.org/pipermail/ffmpeg-devel/2020-March/257887.html [2]: https://ffmpeg.org/pipermail/ffmpeg-devel/2020-March/257989.html [3]: https://ffmpeg.org/pipermail/ffmpeg-devel/2020-March/259128.html _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".