rtpdec/srtp: Handle CSRC fields being present

This is untested in practice, but follows the spec. Signed-off-by: Martin Storsjö <martin@martin.st>

rtpdec/srtp: Handle CSRC fields being present
This is untested in practice, but follows the spec. Signed-off-by: Martin Storsjö <martin@martin.st>
f53490cc · Martin Storsjö · a76bc3bc · f53490cc · f53490cc
Commit f53490cc authored Jan 20, 2013 by Martin Storsjö
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 4 deletions

rtpdec.c libavformat/rtpdec.c +7 -3

srtp.c libavformat/srtp.c +14 -1

No files found.
--- a/libavformat/rtpdec.c
+++ b/libavformat/rtpdec.c
@@ -575,11 +575,12 @@ static int rtp_parse_packet_internal(RTPDemuxContext *s, AVPacket *pkt,
 {
    unsigned int ssrc;
    int payload_type, seq, flags = 0;
-    int ext;
+    int ext, csrc;
    AVStream *st;
    uint32_t timestamp;
    int rv = 0;

+    csrc         = buf[0] & 0x0f;
    ext          = buf[0] & 0x10;
    payload_type = buf[1] & 0x7f;
    if (buf[1] & 0x80)
@@ -613,6 +614,11 @@ static int rtp_parse_packet_internal(RTPDemuxContext *s, AVPacket *pkt,
    len   -= 12;
    buf   += 12;

+    len   -= 4 * csrc;
+    buf   += 4 * csrc;
+    if (len < 0)
+        return AVERROR_INVALIDDATA;
+
    /* RFC 3550 Section 5.3.1 RTP Header Extension handling */
    if (ext) {
        if (len < 4)
@@ -633,8 +639,6 @@ static int rtp_parse_packet_internal(RTPDemuxContext *s, AVPacket *pkt,
                                      s->st, pkt, &timestamp, buf, len, seq,
                                      flags);
    } else if (st) {
-        /* At this point, the RTP header has been stripped;
-         * This is ASSUMING that there is only 1 CSRC, which isn't wise. */
        if ((rv = av_new_packet(pkt, len)) < 0)
            return rv;
        memcpy(pkt->data, buf, len);

--- a/libavformat/srtp.c
+++ b/libavformat/srtp.c
@@ -190,16 +190,23 @@ int ff_srtp_decrypt(struct SRTPContext *s, uint8_t *buf, int *lenptr)
        if (!(srtcp_index & 0x80000000))
            return 0;
    } else {
+        int csrc;
        s->seq_initialized = 1;
        s->seq_largest     = seq_largest;
        s->roc             = roc;

+        csrc = buf[0] & 0x0f;
        ext  = buf[0] & 0x10;
        ssrc = AV_RB32(buf + 8);

        buf += 12;
        len -= 12;

+        buf += 4 * csrc;
+        len -= 4 * csrc;
+        if (len < 0)
+            return AVERROR_INVALIDDATA;
+
        if (ext) {
            if (len < 4)
                return AVERROR_INVALIDDATA;
@@ -244,7 +251,7 @@ int ff_srtp_encrypt(struct SRTPContext *s, const uint8_t *in, int len,
        buf += 8;
        len -= 8;
    } else {
-        int ext;
+        int ext, csrc;
        int seq = AV_RB16(buf + 2);
        ssrc = AV_RB32(buf + 8);

@@ -253,11 +260,17 @@ int ff_srtp_encrypt(struct SRTPContext *s, const uint8_t *in, int len,
        s->seq_largest = seq;
        index = seq + (((uint64_t)s->roc) << 16);

+        csrc = buf[0] & 0x0f;
        ext = buf[0] & 0x10;

        buf += 12;
        len -= 12;

+        buf += 4 * csrc;
+        len -= 4 * csrc;
+        if (len < 0)
+            return AVERROR_INVALIDDATA;
+
        if (ext) {
            if (len < 4)
                return AVERROR_INVALIDDATA;