rtmpproto: Move the flv header/trailer addition to append_flv_data

update_offset is also called from handle_metadata, where the
packet header sizes is already included in the size.

Previously this lead to flv_data/flv_size including 15 uninitialized
bytes at the end after each call to handle_metadata, making the
flv demuxer lose sync with the stream.

Also remove leftover copying in handle_metadata. This is a leftover
from the refactoring in 5840473. (Previously this final mempcy was
the one that copied all the packets at once, while this is done
within the loop right now.) After making sure flv_size is set to
the right size, this write was out of bounds.

Signed-off-by: Martin Storsjö <martin@martin.st>

libavformat/rtmpproto.c

@@ -2077,11 +2077,11 @@ static int update_offset(RTMPContext *rt, int size)
     if (rt->flv_off < rt->flv_size) {
         // There is old unread data in the buffer, thus append at the end
         old_flv_size  = rt->flv_size;
-        rt->flv_size += size + 15;
+        rt->flv_size += size;
     } else {
         // All data has been read, write the new data at the start of the buffer
         old_flv_size = 0;
-        rt->flv_size = size + 15;
+        rt->flv_size = size;
         rt->flv_off  = 0;
     }
 
@@ -2096,7 +2096,7 @@ static int append_flv_data(RTMPContext *rt, RTMPPacket *pkt, int skip)
     const int size      = pkt->size - skip;
     uint32_t ts         = pkt->timestamp;
 
-    old_flv_size = update_offset(rt, size);
+    old_flv_size = update_offset(rt, size + 15);
 
     if ((ret = av_reallocp(&rt->flv_data, rt->flv_size)) < 0) {
         rt->flv_size = rt->flv_off = 0;
@@ -2229,7 +2229,6 @@ static int handle_metadata(RTMPContext *rt, RTMPPacket *pkt)
         next += size + 3 + 4;
         p    += size + 3 + 4;
     }
-    memcpy(p, next, RTMP_HEADER);
 
     return 0;
 }