diff options
| author | Anton Khirnov <anton@khirnov.net> | 2014-01-13 13:47:07 +0100 |
|---|---|---|
| committer | Anton Khirnov <anton@khirnov.net> | 2014-01-13 15:32:24 +0100 |
| commit | 8575f5362f98c937758b20ff8512d6767a56208e (patch) | |
| tree | c7754bffa29b88060d23225669056e16c788c63e | |
| parent | 539d255871c9b3b2529c7c74167dc0e0a237452f (diff) | |
| download | ffmpeg-8575f5362f98c937758b20ff8512d6767a56208e.tar.gz | |
lavf: make av_probe_input_buffer more robust
Always use the actually read size as the offset instead of making
possibly invalid assumptions.
Addresses: CVE-2012-6618
(cherry picked from commit 2115a3597457231a6e5c0527fe0ff8550f64b733)
Conflicts:
libavformat/utils.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
| -rw-r--r-- | libavformat/utils.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/libavformat/utils.c b/libavformat/utils.c index 6cc4178f5c..43790c72d9 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -378,11 +378,10 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt; probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) { int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0; - int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1; /* read probe data */ buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE); - if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) { + if ((ret = avio_read(pb, buf + pd.buf_size, probe_size - pd.buf_size)) < 0) { /* fail if error was not end of file, otherwise, lower score */ if (ret != AVERROR_EOF) { av_free(buf); |