Context Navigation

#1274 closed defect (fixed)

Segmentation fault in "rtpdec_h264.c"

Reported by:	Ivan	Owned by:
Priority:	normal	Component:	undetermined
Version:	git-master	Keywords:
Cc:		Blocked By:
Blocking:		Reproduced by developer:	no
Analyzed by developer:	no

Description

I'm using IP-Camera Beward B2.920F and when i'm using ffmpeg's rtsp there is segmentation fault on this:
memcpy(pkt->data+sizeof(start_sequence)+sizeof(nal), buf, len);
Same in Windows and Linux.
It happens because this model of camera sometimes sends packet with lenght of usefull data 0-2 bytes (In h264_handle_packet len = 0 or 1 or 2 ). I fixed this by adding this:

return 0 on packet, no more left, 1 on packet, 1 on partial packet...
static int h264_handle_packet(AVFormatContext *ctx,

PayloadContext *data,
AVStream *st,
AVPacket * pkt,
uint32_t * timestamp,
const uint8_t * buf,
int len, int flags)

{

if(!len){

av_log(ctx, AV_LOG_ERROR,"Beward fix (buffer is too short in packet)\n");
return 0;

}

And this:

case 28: FU-A (fragmented nal)

buf++;
len--; skip the fu_indicator
if(len>1){

these are the same as above, we just redo them here for clarity...
uint8_t fu_indicator = nal;
uint8_t fu_header = *buf; read the fu_header.
uint8_t start_bit = fu_header >> 7;

uint8_t end_bit = (fu_header & 0x40) >> 6;

uint8_t nal_type = (fu_header & 0x1f);
uint8_t reconstructed_nal;

reconstruct this packet's true nal; only the data follows..
reconstructed_nal = fu_indicator & (0xe0); the original nal forbidden bit and NRI are stored in this packet's nal;
reconstructed_nal |= nal_type;

skip the fu_header...
buf++;
len--;

#ifdef DEBUG

if (start_bit)

data->packet_types_received[nal_type]++;

#endif

if(start_bit) {

copy in the start sequence, and the reconstructed nal....
av_log(ctx, AV_LOG_ERROR,"%08X %08X %08X %08X\n",pkt,pkt->data,buf,len);
av_new_packet(pkt, sizeof(start_sequence)+sizeof(nal)+len);
memcpy(pkt->data, start_sequence, sizeof(start_sequence));
pkt->data[sizeof(start_sequence)]= reconstructed_nal;
memcpy(pkt->data+sizeof(start_sequence)+sizeof(nal), buf, len);

} else {

av_new_packet(pkt, len);
memcpy(pkt->data, buf, len);

}

}else{

av_log(ctx, AV_LOG_ERROR,"Beward fix (buffer is too short in packet)\n");

}
break;

Please, fix it because i can't upload it to git and compile under windows. (I'm using automated builds by Zeranoe).

Attachments (1)

rtpdec_h264.c (14.4 KB ) - added by Ivan 13 years ago.: Fixed file

Download all attachments as: .zip

Change History (4)

by Ivan, 13 years ago

Attachment:	rtpdec_h264.c added

Fixed file

comment:1 by Ivan, 13 years ago

Status:	new → open

comment:2 by Carl Eugen Hoyos, 13 years ago

Please send patches to ffmpeg-devel, they get more attention there.

comment:3 by Michael Niedermayer, 12 years ago

Resolution:	→ fixed
Status:	open → closed

This patch has been applied over a month ago.
Sorry that noone updated this ticket

Note: See TracTickets for help on using tickets.

Download in other formats: