Avoids trying to read a packet with 0 or negative size.
Avoids a potential infinite loop due to seeking backwards.
Partially based on a patch by Michael Niedermayer.
This comment was added in e309128f, in 2002, and has been brought
along since then more or less unmodified.
The first point of the todo was implemented in dbf30963 in 2006,
the second one is not relevant to rtpdec.c (brought along from
rtp.c in 8eb793c4 in 2008) but would be more relevant to the
rtp muxer, although it isn't a good idea anyway.
Signed-off-by: Martin Storsjö <martin@martin.st>
The values compared here can be more than INT64_MAX apart. Since the
difference is always positive, converting to uint64_t before subtracting
gives the correct result without overflows.
Signed-off-by: Mans Rullgard <mans@mansr.com>
Also remove a duplicate function in the MPEG-TS demuxer.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
Also make sure extradata is freed in the case where multiple
NUV_EXTRADATA frame types are found. This may not happen in practice,
but it could happen in a malformed stream, which would lead to a memleak
if not handled.
Fixes curruption of metadata in the INFO chunk.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
Scaling the denominator instead of the numerator if it is too large
loses precision. Fixes an assert caused by a negative frame duration in
the fuzzed sample nasa-8s2.ts_s202310.
CC: libav-stable@libav.org
Current code would incorrectly process e.g. 'ff 00 ff 00 ff' to
'ff ff ff', while it should be 'ff ff 00 ff'.
Fixes Bug 395.
CC: libav-stable@libav.org
The following error handling is broken due to signedness.
int file_size;
uint32_t tag_bytes;
int64_t tag_start;
...
tag_start = file_size - tag_bytes - APE_TAG_FOOTER_BYTES;
if (tag_start < 0) { ... }
Note that tag_bytes is unsigned, which makes the right-hand side of
`tag_start = ...' unsigned, too. The 32-bit unsigned value is then
zero-extended to 64 bits. Therefore, tag_start must be non-negative,
and the check (tag_start < 0) is always false, which breaks the error
handling. This patch fixes the check.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Since the pointer `oc' is NULL, oc->oformat->name will cause a null
pointer dereference. This patch changes it to seg->oformat->name.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
