From 2357f606876173a25acf3130868e374cc44c5f47 Mon Sep 17 00:00:00 2001
From: Samuel Pitoiset <samuel.pitoiset@gmail.com>
Date: Thu, 26 Jul 2012 14:05:18 +0200
Subject: [PATCH] rtmp: Prevent reading outside of an allocate buffer when
 receiving server bandwidth packets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
---
 libavformat/rtmpproto.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index a2efe3882f..183afae4e8 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -950,6 +950,13 @@ static int handle_server_bw(URLContext *s, RTMPPacket *pkt)
 {
     RTMPContext *rt = s->priv_data;
 
+    if (pkt->data_size < 4) {
+        av_log(s, AV_LOG_ERROR,
+               "Too short server bandwidth report packet (%d)\n",
+               pkt->data_size);
+        return AVERROR_INVALIDDATA;
+    }
+
     rt->server_bw = AV_RB32(pkt->data);
     if (rt->server_bw <= 0) {
         av_log(s, AV_LOG_ERROR, "Incorrect server bandwidth %d\n",