From 56040cab4289322f9e1ba6f82f153daa2785bf08 Mon Sep 17 00:00:00 2001
From: Winlin <winlin@vip.126.com>
Date: Sat, 17 Dec 2022 15:05:10 +0800
Subject: [PATCH] GB28181: Fix memory overlap for small packets. v5.0.111
 (#3315)

---
 trunk/doc/CHANGELOG.md               | 1 +
 trunk/src/app/srs_app_gb28181.cpp    | 5 +++--
 trunk/src/core/srs_core_version5.hpp | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/trunk/doc/CHANGELOG.md b/trunk/doc/CHANGELOG.md
index 7326a92619..a1d06ad0ca 100644
--- a/trunk/doc/CHANGELOG.md
+++ b/trunk/doc/CHANGELOG.md
@@ -8,6 +8,7 @@ The changelog for SRS.
 
 ## SRS 5.0 Changelog
 
+* v5.0, 2022-12-15, For [#3300](https://github.com/ossrs/srs/issues/3300): GB28181: Fix memory overlap for small packets. v5.0.111
 * v5.0, 2022-12-14, For [#939](https://github.com/ossrs/srs/issues/939): FLV: Support set default has_av and disable guessing. v5.0.110
 * v5.0, 2022-12-13, For [#939](https://github.com/ossrs/srs/issues/939): FLV: Drop packet if header flag is not matched. v5.0.109
 * v5.0, 2022-12-13, For [#939](https://github.com/ossrs/srs/issues/939): FLV: Reset has_audio or has_video if only sequence header.
diff --git a/trunk/src/app/srs_app_gb28181.cpp b/trunk/src/app/srs_app_gb28181.cpp
index 5b6964f0e3..12f8bf0a15 100644
--- a/trunk/src/app/srs_app_gb28181.cpp
+++ b/trunk/src/app/srs_app_gb28181.cpp
@@ -1444,8 +1444,9 @@ srs_error_t SrsLazyGbMediaTcpConn::do_cycle()
             string bytes = srs_string_dumps_hex(b.head(), reserved, 16);
             srs_trace("PS: Reserved bytes for next loop, pos=%d, left=%d, total=%d, bytes=[%s]",
                 b.pos(), b.left(), b.size(), bytes.c_str());
-            // Copy the bytes left to the start of buffer.
-            b.read_bytes((char*)buffer_, reserved);
+            // Copy the bytes left to the start of buffer. Note that the left(reserved) bytes might be overlapped with
+            // buffer, so we must use memmove not memcpy, see https://github.com/ossrs/srs/issues/3300#issuecomment-1352907075
+            memmove(buffer_, b.head(), reserved);
             pack_->media_reserved_++;
         }
     }
diff --git a/trunk/src/core/srs_core_version5.hpp b/trunk/src/core/srs_core_version5.hpp
index 8897dd66c9..8c06913ed4 100644
--- a/trunk/src/core/srs_core_version5.hpp
+++ b/trunk/src/core/srs_core_version5.hpp
@@ -9,6 +9,6 @@
 
 #define VERSION_MAJOR       5
 #define VERSION_MINOR       0
-#define VERSION_REVISION    110
+#define VERSION_REVISION    111
 
 #endif