Fix a crash in the H.263 RTP packetizer

If size == 1 and buf[0] == 0 and buf[1] == 0 (the first byte after the
buffer), it would set size = -1 and crash in the later memcpy.

Originally committed as revision 22469 to svn://svn.ffmpeg.org/ffmpeg/trunk

diff --git a/libavformat/rtpenc_h263.c b/libavformat/rtpenc_h263.c
index 0ea4921..84403a1 100644 (file)
--- a/libavformat/rtpenc_h263.c
+++ b/libavformat/rtpenc_h263.c
@@ -50,7 +50,7 @@ void ff_rtp_send_h263(AVFormatContext *s1, const uint8_t *buf1, int size)
 
     while (size > 0) {
         q = s->buf;
-        if ((buf1[0] == 0) && (buf1[1] == 0)) {
+        if (size >= 2 && (buf1[0] == 0) && (buf1[1] == 0)) {
             *q++ = 0x04;
             buf1 += 2;
             size -= 2;