rtmp: Prevent reading outside of an allocate buffer when receiving server bandwidth...

Signed-off-by: Martin Storsjö <martin@martin.st>

diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index a2efe3882fe495b1ce915fa3bde21a1402ba0711..183afae4e8d2714ff7df59a4d02016a68ef5761f 100644 (file)
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -950,6 +950,13 @@ static int handle_server_bw(URLContext *s, RTMPPacket *pkt)
 {
     RTMPContext *rt = s->priv_data;
 
+    if (pkt->data_size < 4) {
+        av_log(s, AV_LOG_ERROR,
+               "Too short server bandwidth report packet (%d)\n",
+               pkt->data_size);
+        return AVERROR_INVALIDDATA;
+    }
+
     rt->server_bw = AV_RB32(pkt->data);
     if (rt->server_bw <= 0) {
         av_log(s, AV_LOG_ERROR, "Incorrect server bandwidth %d\n",