Fix av_packet_split_side_data.

p cannot be calculated before av_dup_packet since that one might change avpkt->data, causing invalid reads and a non-working range check. Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
author: Reimar Döffinger <Reimar.Doeffinger@gmx.de> 2011-11-06 01:33:31 +0100
committer: Reimar Döffinger <Reimar.Doeffinger@gmx.de> 2011-11-06 09:37:34 +0100
commit: 54a09f18e3d1d3f049c72878f1c891ab0336408a (patch)
tree: 0374b5590a5f902e6c103cd612bb94a680988012 /libavcodec/avpacket.c
parent: 64bf5a0c7ffb3c01b93bb8aba0334839756b5ac1 (diff)
download: ffmpeg-54a09f18e3d1d3f049c72878f1c891ab0336408a.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c
index ff34285b48..a4bd442176 100644
--- a/libavcodec/avpacket.c
+++ b/libavcodec/avpacket.c
@@ -237,10 +237,11 @@ int av_packet_split_side_data(AVPacket *pkt){
     if (!pkt->side_data_elems && pkt->size >12 && AV_RB64(pkt->data + pkt->size - 8) == FF_MERGE_MARKER){
         int i;
         unsigned int size;
-        uint8_t *p= pkt->data + pkt->size - 8 - 5;
+        uint8_t *p;
 
         av_dup_packet(pkt);
 
+        p = pkt->data + pkt->size - 8 - 5;
         for (i=1; ; i++){
             size = AV_RB32(p);
             if (size>INT_MAX || p - pkt->data <= size)
author	Reimar Döffinger <Reimar.Doeffinger@gmx.de>	2011-11-06 01:33:31 +0100
committer	Reimar Döffinger <Reimar.Doeffinger@gmx.de>	2011-11-06 09:37:34 +0100
commit	54a09f18e3d1d3f049c72878f1c891ab0336408a (patch)
tree	0374b5590a5f902e6c103cd612bb94a680988012 /libavcodec/avpacket.c
parent	64bf5a0c7ffb3c01b93bb8aba0334839756b5ac1 (diff)
download	ffmpeg-54a09f18e3d1d3f049c72878f1c891ab0336408a.tar.gz