Opened 7 years ago

Closed 7 years ago

#1274 closed defect (fixed)

Segmentation fault in "rtpdec_h264.c"

Reported by: Belevern Owned by:
Priority: normal Component: undetermined
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

I'm using IP-Camera Beward B2.920F and when i'm using ffmpeg's rtsp there is segmentation fault on this:
memcpy(pkt->data+sizeof(start_sequence)+sizeof(nal), buf, len);
Same in Windows and Linux.
It happens because this model of camera sometimes sends packet with lenght of usefull data 0-2 bytes (In h264_handle_packet len = 0 or 1 or 2 ). I fixed this by adding this:

return 0 on packet, no more left, 1 on packet, 1 on partial packet...
static int h264_handle_packet(AVFormatContext *ctx,

PayloadContext? *data,
AVStream *st,
AVPacket * pkt,
uint32_t * timestamp,
const uint8_t * buf,
int len, int flags)

{

if(!len){

av_log(ctx, AV_LOG_ERROR,"Beward fix (buffer is too short in packet)\n");
return 0;

}

And this:

case 28: FU-A (fragmented nal)

buf++;
len--; skip the fu_indicator
if(len>1){

these are the same as above, we just redo them here for clarity...
uint8_t fu_indicator = nal;
uint8_t fu_header = *buf;
read the fu_header.
uint8_t start_bit = fu_header >> 7;

uint8_t end_bit = (fu_header & 0x40) >> 6;

uint8_t nal_type = (fu_header & 0x1f);
uint8_t reconstructed_nal;

reconstruct this packet's true nal; only the data follows..
reconstructed_nal = fu_indicator & (0xe0);
the original nal forbidden bit and NRI are stored in this packet's nal;
reconstructed_nal |= nal_type;

skip the fu_header...
buf++;
len--;

#ifdef DEBUG

if (start_bit)

data->packet_types_received[nal_type]++;

#endif

if(start_bit) {

copy in the start sequence, and the reconstructed nal....
av_log(ctx, AV_LOG_ERROR,"%08X %08X %08X %08X\n",pkt,pkt->data,buf,len);
av_new_packet(pkt, sizeof(start_sequence)+sizeof(nal)+len);
memcpy(pkt->data, start_sequence, sizeof(start_sequence));
pkt->data[sizeof(start_sequence)]= reconstructed_nal;
memcpy(pkt->data+sizeof(start_sequence)+sizeof(nal), buf, len);

} else {

av_new_packet(pkt, len);
memcpy(pkt->data, buf, len);

}

}else{

av_log(ctx, AV_LOG_ERROR,"Beward fix (buffer is too short in packet)\n");

}
break;

Please, fix it because i can't upload it to git and compile under windows. (I'm using automated builds by Zeranoe).

Attachments (1)

rtpdec_h264.c (14.4 KB) - added by Belevern 7 years ago.
Fixed file

Download all attachments as: .zip

Change History (4)

Changed 7 years ago by Belevern

Fixed file

comment:1 Changed 7 years ago by Belevern

  • Status changed from new to open

comment:2 Changed 7 years ago by cehoyos

Please send patches to ffmpeg-devel, they get more attention there.

comment:3 Changed 7 years ago by michael

  • Resolution set to fixed
  • Status changed from open to closed

This patch has been applied over a month ago.
Sorry that noone updated this ticket

Note: See TracTickets for help on using tickets.