[FFmpeg-devel] Segmentation fault in "rtpdec_h264.c"

Belevern . belevern at gmail.com
Fri May 4 20:10:25 CEST 2012 

I'm using IP-Camera Beward B2.920F and when i'm using ffmpeg's rtsp there
is segmentation fault on this:
memcpy(pkt->data+sizeof(start_sequence)+sizeof(nal), buf, len); in file
rtpdec_h264.c
Same in Windows and Linux.
It happens because this model of camera sometimes sends packet with lenght
of usefull data 0-3 bytes (In h264_handle_packet len = 0 or 1 or 2 ). I
fixed this by this:

*** /home/belevern/ffmpeg-git/ffmpeg/libavformat/rtpdec_h264.c
2012-05-04 22:02:10.000000000 +0400
--- /home/belevern/ffmpeg-git-old/ffmpeg/libavformat/rtpdec_h264.c
2012-05-04 21:20:19.000000000 +0400
***************
*** 173,183 ****
                                const uint8_t * buf,
                                int len, int flags)
  {
!     uint8_t nal = buf[0];
!     uint8_t type = (nal & 0x1f);
      int result= 0;
      uint8_t start_sequence[] = { 0, 0, 0, 1 };

  #ifdef DEBUG
      assert(data);
      assert(data->cookie == MAGIC_COOKIE);
--- 173,191 ----
                                const uint8_t * buf,
                                int len, int flags)
  {
!     uint8_t nal;
!     uint8_t type;
      int result= 0;
      uint8_t start_sequence[] = { 0, 0, 0, 1 };

+     if(!len){ //this fix for some RTSP cameras
+         av_log(ctx, AV_LOG_ERROR,"Zero length data\n");
+         return -1;
+     }
+
+     nal = buf[0];
+     type = (nal & 0x1f);
+
  #ifdef DEBUG
      assert(data);
      assert(data->cookie == MAGIC_COOKIE);
***************
*** 271,277 ****
      case 28:                   // FU-A (fragmented nal)
          buf++;
          len--;                  // skip the fu_indicator
!         {
              // these are the same as above, we just redo them here for
clarity...
              uint8_t fu_indicator = nal;
              uint8_t fu_header = *buf;   // read the fu_header.
--- 279,285 ----
      case 28:                   // FU-A (fragmented nal)
          buf++;
          len--;                  // skip the fu_indicator
!         if(len>1){    //skipping zero-length data (this fix for some RTSP
cameras)
              // these are the same as above, we just redo them here for
clarity...
              uint8_t fu_indicator = nal;
              uint8_t fu_header = *buf;   // read the fu_header.
***************
*** 302,307 ****
--- 310,318 ----
                  av_new_packet(pkt, len);
                  memcpy(pkt->data, buf, len);
              }
+         }else{
+             av_log(ctx, AV_LOG_ERROR, "Zero-length data in FU-A
(%u)\n",len);
+             result = -1;
          }
          break;

More information about the ffmpeg-devel mailing list