aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/sbc_parser.c
diff options
context:
space:
mode:
authorAndreas Rheinhardt <andreas.rheinhardt@outlook.com>2021-08-25 16:13:12 +0200
committerAndreas Rheinhardt <andreas.rheinhardt@outlook.com>2021-08-30 15:48:11 +0200
commitb2d61d0f02199be2d3d2b57a6bd1b4121b7b9bd1 (patch)
tree29efc7bc3edd58ee74ff86076248de230106d995 /libavcodec/sbc_parser.c
parent7352c370faa793f897f44d48e7ddc11a4f11bf92 (diff)
downloadffmpeg-b2d61d0f02199be2d3d2b57a6bd1b4121b7b9bd1.tar.gz
avformat/matroskadec: Fix heap-buffer overflow upon gigantic timestamps
The WebM DASH Manifest demuxer creates a comma-delimited list of all the timestamps of index entries. It allocates 20 bytes per timestamp; yet the largest 64bit numbers have 20 decimal digits (for int64_t it can be '-'+ 19 digits), so that one needs 21B per entry because of the comma (resp. the final NUL). The code uses snprintf, but snprintf returns the strlen of the string that would have been written had the supplied buffer been big enough. And if this is 21, then the next entry is written at an offset of 21 from the current position. So if enough such entries exist, the buffer won't suffice. This commit fixes this by replacing the allocation of buffer for the supposedly worst-case with dynamic allocations by using an AVBPrint. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Diffstat (limited to 'libavcodec/sbc_parser.c')
0 files changed, 0 insertions, 0 deletions