aboutsummaryrefslogtreecommitdiffstats
path: root/libavfilter
diff options
context:
space:
mode:
authorLimin Wang <lance.lmwang@gmail.com>2020-07-04 20:32:58 +0800
committerLimin Wang <lance.lmwang@gmail.com>2020-07-08 23:12:48 +0800
commit3ede8acba6270e46080f14caa6d91963ff3c01d2 (patch)
tree80f371836ad4cfccfa507bc602dcf25dc2a93272 /libavfilter
parent1dee8bf9099ce9460486c566aa1fb0612890d939 (diff)
downloadffmpeg-3ede8acba6270e46080f14caa6d91963ff3c01d2.tar.gz
avfilter/vf_showinfo: check sd->size before reference the sd->data
Or it'll cause null pointer dereference if size < sizeof(uint32_t), also in case tc[0] > 3, the code will report error directly. Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
Diffstat (limited to 'libavfilter')
-rw-r--r--libavfilter/vf_showinfo.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/libavfilter/vf_showinfo.c b/libavfilter/vf_showinfo.c
index d7ee677c68..1634f68a78 100644
--- a/libavfilter/vf_showinfo.c
+++ b/libavfilter/vf_showinfo.c
@@ -365,15 +365,15 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame)
break;
case AV_FRAME_DATA_S12M_TIMECODE: {
uint32_t *tc = (uint32_t*)sd->data;
- int m = FFMIN(tc[0],3);
- if (sd->size != 16) {
+
+ if ((sd->size != sizeof(uint32_t) * 4) || (tc[0] > 3)) {
av_log(ctx, AV_LOG_ERROR, "invalid data\n");
break;
}
- for (int j = 1; j <= m; j++) {
+ for (int j = 1; j <= tc[0]; j++) {
char tcbuf[AV_TIMECODE_STR_SIZE];
av_timecode_make_smpte_tc_string(tcbuf, tc[j], 0);
- av_log(ctx, AV_LOG_INFO, "timecode - %s%s", tcbuf, j != m ? ", " : "");
+ av_log(ctx, AV_LOG_INFO, "timecode - %s%s", tcbuf, j != tc[0] ? ", " : "");
}
break;
}