# HG changeset patch
# User mstorsjo
# Date 1268324774 0
# Node ID 528440939c065e7d7b92a50190b124f4db8c0708
# Parent  9e77d08ad3115ba28a432992c21754ac81a9d790
Fix a crash in the H.263 RTP packetizer

If size == 1 and buf[0] == 0 and buf[1] == 0 (the first byte after the
buffer), it would set size = -1 and crash in the later memcpy.

diff -r 9e77d08ad311 -r 528440939c06 rtpenc_h263.c
--- a/rtpenc_h263.c	Thu Mar 11 12:29:02 2010 +0000
+++ b/rtpenc_h263.c	Thu Mar 11 16:26:14 2010 +0000
@@ -50,7 +50,7 @@
 
     while (size > 0) {
         q = s->buf;
-        if ((buf1[0] == 0) && (buf1[1] == 0)) {
+        if (size >= 2 && (buf1[0] == 0) && (buf1[1] == 0)) {
             *q++ = 0x04;
             buf1 += 2;
             size -= 2;