X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavformat%2Favc.c;h=b0c511e7b55241577303c55a85f8f9b85bf9ce9e;hb=177bb4bf50d762fcc1ace3e357a2a2bba54744ee;hp=3b990015fe370f8df0cc46538eb439ff6a632e58;hpb=2912e87a6c9264d556734e2bf94a99c64cf9b102;p=ffmpeg

diff --git a/libavformat/avc.c b/libavformat/avc.c
index 3b990015fe3..b0c511e7b55 100644
--- a/libavformat/avc.c
+++ b/libavformat/avc.c
@@ -75,8 +75,11 @@ int ff_avc_parse_nal_units(AVIOContext *pb, const uint8_t *buf_in, int size)
 
     size = 0;
     nal_start = ff_avc_find_startcode(p, end);
-    while (nal_start < end) {
-        while(!*(nal_start++));
+    for (;;) {
+        while (nal_start < end && !*(nal_start++));
+        if (nal_start == end)
+            break;
+
         nal_end = ff_avc_find_startcode(nal_start, end);
         avio_wb32(pb, nal_end - nal_start);
         avio_write(pb, nal_start, nal_end - nal_start);
@@ -89,14 +92,14 @@ int ff_avc_parse_nal_units(AVIOContext *pb, const uint8_t *buf_in, int size)
 int ff_avc_parse_nal_units_buf(const uint8_t *buf_in, uint8_t **buf, int *size)
 {
     AVIOContext *pb;
-    int ret = url_open_dyn_buf(&pb);
+    int ret = avio_open_dyn_buf(&pb);
     if(ret < 0)
         return ret;
 
     ff_avc_parse_nal_units(pb, buf_in, *size);
 
     av_freep(buf);
-    *size = url_close_dyn_buf(pb, buf);
+    *size = avio_close_dyn_buf(pb, buf);
     return 0;
 }
 
@@ -117,22 +120,26 @@ int ff_isom_write_avcc(AVIOContext *pb, const uint8_t *data, int len)
             end = buf + len;
 
             /* look for sps and pps */
-            while (buf < end) {
-                unsigned int size;
+            while (end - buf > 4) {
+                uint32_t size;
                 uint8_t nal_type;
-                size = AV_RB32(buf);
-                nal_type = buf[4] & 0x1f;
+                size = FFMIN(AV_RB32(buf), end - buf - 4);
+                buf += 4;
+                nal_type = buf[0] & 0x1f;
+
                 if (nal_type == 7) { /* SPS */
-                    sps = buf + 4;
+                    sps = buf;
                     sps_size = size;
                 } else if (nal_type == 8) { /* PPS */
-                    pps = buf + 4;
+                    pps = buf;
                     pps_size = size;
                 }
-                buf += size + 4;
+
+                buf += size;
             }
-            assert(sps);
-            assert(pps);
+
+            if (!sps || !pps || sps_size < 4 || sps_size > UINT16_MAX || pps_size > UINT16_MAX)
+                return AVERROR_INVALIDDATA;
 
             avio_w8(pb, 1); /* version */
             avio_w8(pb, sps[1]); /* profile */