rtmpproto: Validate the embedded flv packet size before copying

This wasn't an issue prior to 58404738, when the whole RTMP packet
was copied at once and the length of the individual embedded flv
packets only were validated by the flv demuxer.

Prior to this patch, this could lead to reads and writes out of bound.

Signed-off-by: Martin Storsjö <martin@martin.st>

libavformat/rtmpproto.c

@@ -2221,6 +2221,8 @@ static int handle_metadata(RTMPContext *rt, RTMPPacket *pkt)
             pts = cts;
         ts += cts - pts;
         pts = cts;
+        if (size + 3 + 4 > pkt->data + pkt->size - next)
+            break;
         bytestream_put_byte(&p, type);
         bytestream_put_be24(&p, size);
         bytestream_put_be24(&p, ts);