diff options
author | Limin Wang <lance.lmwang@gmail.com> | 2020-07-04 20:32:58 +0800 |
---|---|---|
committer | Limin Wang <lance.lmwang@gmail.com> | 2020-07-08 23:12:48 +0800 |
commit | 3ede8acba6270e46080f14caa6d91963ff3c01d2 (patch) | |
tree | 80f371836ad4cfccfa507bc602dcf25dc2a93272 /libavfilter | |
parent | 1dee8bf9099ce9460486c566aa1fb0612890d939 (diff) | |
download | ffmpeg-3ede8acba6270e46080f14caa6d91963ff3c01d2.tar.gz |
avfilter/vf_showinfo: check sd->size before reference the sd->data
Or it'll cause null pointer dereference if size < sizeof(uint32_t), also
in case tc[0] > 3, the code will report error directly.
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
Diffstat (limited to 'libavfilter')
-rw-r--r-- | libavfilter/vf_showinfo.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/libavfilter/vf_showinfo.c b/libavfilter/vf_showinfo.c index d7ee677c68..1634f68a78 100644 --- a/libavfilter/vf_showinfo.c +++ b/libavfilter/vf_showinfo.c @@ -365,15 +365,15 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) break; case AV_FRAME_DATA_S12M_TIMECODE: { uint32_t *tc = (uint32_t*)sd->data; - int m = FFMIN(tc[0],3); - if (sd->size != 16) { + + if ((sd->size != sizeof(uint32_t) * 4) || (tc[0] > 3)) { av_log(ctx, AV_LOG_ERROR, "invalid data\n"); break; } - for (int j = 1; j <= m; j++) { + for (int j = 1; j <= tc[0]; j++) { char tcbuf[AV_TIMECODE_STR_SIZE]; av_timecode_make_smpte_tc_string(tcbuf, tc[j], 0); - av_log(ctx, AV_LOG_INFO, "timecode - %s%s", tcbuf, j != m ? ", " : ""); + av_log(ctx, AV_LOG_INFO, "timecode - %s%s", tcbuf, j != tc[0] ? ", " : ""); } break; } |