On 15/12/2016 14:22, Martin Storsjö wrote: > From: Michael Niedermayer <mich...@niedermayer.cc> > > When receiving fragmented packets, the first packet declares the size, > and the later ones normally are small follow-on packets that don't repeat > the size and the other header fields. But technically, the later fragments > also can have a full header, declaring a different size than the previous > packet. > > If the follow-on packet declares a larger size than the initial one, we > could end up writing outside of the allocation. > > This fixes out of bounds writes. > > Found-by: Paul Cher <paulc...@icloud.com> > Reviewed-by: Paul Cher <paulc...@icloud.com> > > CC: libav-sta...@libav.org > --- > Now with error return and improved commit message. > --- > libavformat/rtmppkt.c | 8 ++++++++ > 1 file changed, 8 insertions(+) >
Fine for me :) _______________________________________________ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel