diff options
author | Martin Storsjö <martin@martin.st> | 2013-01-20 19:00:18 +0200 |
---|---|---|
committer | Martin Storsjö <martin@martin.st> | 2013-01-21 00:10:47 +0200 |
commit | f53490cc0c809975f8238d5a9edbd26f83bd2f84 (patch) | |
tree | 9e0ca0c3ef41ebea44d4480ff32536739c4045ec | |
parent | a76bc3bc44e3bcd6a0923e65cd669e71e9819388 (diff) | |
download | ffmpeg-f53490cc0c809975f8238d5a9edbd26f83bd2f84.tar.gz |
rtpdec/srtp: Handle CSRC fields being present
This is untested in practice, but follows the spec.
Signed-off-by: Martin Storsjö <martin@martin.st>
-rw-r--r-- | libavformat/rtpdec.c | 10 | ||||
-rw-r--r-- | libavformat/srtp.c | 15 |
2 files changed, 21 insertions, 4 deletions
diff --git a/libavformat/rtpdec.c b/libavformat/rtpdec.c index a8188878eb..145d7c82e9 100644 --- a/libavformat/rtpdec.c +++ b/libavformat/rtpdec.c @@ -575,11 +575,12 @@ static int rtp_parse_packet_internal(RTPDemuxContext *s, AVPacket *pkt, { unsigned int ssrc; int payload_type, seq, flags = 0; - int ext; + int ext, csrc; AVStream *st; uint32_t timestamp; int rv = 0; + csrc = buf[0] & 0x0f; ext = buf[0] & 0x10; payload_type = buf[1] & 0x7f; if (buf[1] & 0x80) @@ -613,6 +614,11 @@ static int rtp_parse_packet_internal(RTPDemuxContext *s, AVPacket *pkt, len -= 12; buf += 12; + len -= 4 * csrc; + buf += 4 * csrc; + if (len < 0) + return AVERROR_INVALIDDATA; + /* RFC 3550 Section 5.3.1 RTP Header Extension handling */ if (ext) { if (len < 4) @@ -633,8 +639,6 @@ static int rtp_parse_packet_internal(RTPDemuxContext *s, AVPacket *pkt, s->st, pkt, ×tamp, buf, len, seq, flags); } else if (st) { - /* At this point, the RTP header has been stripped; - * This is ASSUMING that there is only 1 CSRC, which isn't wise. */ if ((rv = av_new_packet(pkt, len)) < 0) return rv; memcpy(pkt->data, buf, len); diff --git a/libavformat/srtp.c b/libavformat/srtp.c index ebc5c98fd7..21dafc2c4c 100644 --- a/libavformat/srtp.c +++ b/libavformat/srtp.c @@ -190,16 +190,23 @@ int ff_srtp_decrypt(struct SRTPContext *s, uint8_t *buf, int *lenptr) if (!(srtcp_index & 0x80000000)) return 0; } else { + int csrc; s->seq_initialized = 1; s->seq_largest = seq_largest; s->roc = roc; + csrc = buf[0] & 0x0f; ext = buf[0] & 0x10; ssrc = AV_RB32(buf + 8); buf += 12; len -= 12; + buf += 4 * csrc; + len -= 4 * csrc; + if (len < 0) + return AVERROR_INVALIDDATA; + if (ext) { if (len < 4) return AVERROR_INVALIDDATA; @@ -244,7 +251,7 @@ int ff_srtp_encrypt(struct SRTPContext *s, const uint8_t *in, int len, buf += 8; len -= 8; } else { - int ext; + int ext, csrc; int seq = AV_RB16(buf + 2); ssrc = AV_RB32(buf + 8); @@ -253,11 +260,17 @@ int ff_srtp_encrypt(struct SRTPContext *s, const uint8_t *in, int len, s->seq_largest = seq; index = seq + (((uint64_t)s->roc) << 16); + csrc = buf[0] & 0x0f; ext = buf[0] & 0x10; buf += 12; len -= 12; + buf += 4 * csrc; + len -= 4 * csrc; + if (len < 0) + return AVERROR_INVALIDDATA; + if (ext) { if (len < 4) return AVERROR_INVALIDDATA; |