a4fec9a7ea
When receiving fragmented packets, the first packet declares the size, and the later ones normally are small follow-on packets that don't repeat the size and the other header fields. But technically, the later fragments also can have a full header, declaring a different size than the previous packet. If the follow-on packet declares a larger size than the initial one, we could end up writing outside of the allocation. This fixes out of bounds writes. Found-by: Paul Cher <paulcher@icloud.com> Reviewed-by: Paul Cher <paulcher@icloud.com> CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>
21 KiB
21 KiB