From 24fee95321c1463360ba7042d026dae021854360 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 3 Oct 2013 12:29:37 +0200 Subject: rtmpproto: Move the flv header/trailer addition to append_flv_data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit update_offset is also called from handle_metadata, where the packet header sizes is already included in the size. Previously this lead to flv_data/flv_size including 15 uninitialized bytes at the end after each call to handle_metadata, making the flv demuxer lose sync with the stream. Also remove leftover copying in handle_metadata. This is a leftover from the refactoring in 5840473. (Previously this final mempcy was the one that copied all the packets at once, while this is done within the loop right now.) After making sure flv_size is set to the right size, this write was out of bounds. Signed-off-by: Martin Storsjö --- libavformat/rtmpproto.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'libavformat') diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 21d7ad8..bc6cd3f 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -2077,11 +2077,11 @@ static int update_offset(RTMPContext *rt, int size) if (rt->flv_off < rt->flv_size) { // There is old unread data in the buffer, thus append at the end old_flv_size = rt->flv_size; - rt->flv_size += size + 15; + rt->flv_size += size; } else { // All data has been read, write the new data at the start of the buffer old_flv_size = 0; - rt->flv_size = size + 15; + rt->flv_size = size; rt->flv_off = 0; } @@ -2096,7 +2096,7 @@ static int append_flv_data(RTMPContext *rt, RTMPPacket *pkt, int skip) const int size = pkt->size - skip; uint32_t ts = pkt->timestamp; - old_flv_size = update_offset(rt, size); + old_flv_size = update_offset(rt, size + 15); if ((ret = av_reallocp(&rt->flv_data, rt->flv_size)) < 0) { rt->flv_size = rt->flv_off = 0; @@ -2229,7 +2229,6 @@ static int handle_metadata(RTMPContext *rt, RTMPPacket *pkt) next += size + 3 + 4; p += size + 3 + 4; } - memcpy(p, next, RTMP_HEADER); return 0; } -- cgit v1.1