diff options
Diffstat (limited to 'libavformat/srtp.c')
-rw-r--r-- | libavformat/srtp.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/libavformat/srtp.c b/libavformat/srtp.c index 7d344b816d..993a3b6a4a 100644 --- a/libavformat/srtp.c +++ b/libavformat/srtp.c @@ -190,16 +190,23 @@ int ff_srtp_decrypt(struct SRTPContext *s, uint8_t *buf, int *lenptr) if (!(srtcp_index & 0x80000000)) return 0; } else { + int csrc; s->seq_initialized = 1; s->seq_largest = seq_largest; s->roc = roc; + csrc = buf[0] & 0x0f; ext = buf[0] & 0x10; ssrc = AV_RB32(buf + 8); buf += 12; len -= 12; + buf += 4 * csrc; + len -= 4 * csrc; + if (len < 0) + return AVERROR_INVALIDDATA; + if (ext) { if (len < 4) return AVERROR_INVALIDDATA; @@ -244,7 +251,7 @@ int ff_srtp_encrypt(struct SRTPContext *s, const uint8_t *in, int len, buf += 8; len -= 8; } else { - int ext; + int ext, csrc; int seq = AV_RB16(buf + 2); ssrc = AV_RB32(buf + 8); @@ -253,11 +260,17 @@ int ff_srtp_encrypt(struct SRTPContext *s, const uint8_t *in, int len, s->seq_largest = seq; index = seq + (((uint64_t)s->roc) << 16); + csrc = buf[0] & 0x0f; ext = buf[0] & 0x10; buf += 12; len -= 12; + buf += 4 * csrc; + len -= 4 * csrc; + if (len < 0) + return AVERROR_INVALIDDATA; + if (ext) { if (len < 4) return AVERROR_INVALIDDATA; |