diff options
| author | Anton Khirnov <anton@khirnov.net> | 2014-01-13 13:47:07 +0100 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2014-02-06 23:01:14 -0500 |
| commit | 8cade1352bde1a1d4da70fc16a722a4fa7d2edc7 (patch) | |
| tree | 85e070bbae68bbe2b1e3518ee8ff12861e9e3067 /libavformat | |
| parent | 5522c564d48e1bb07d8cb722e8f94575a2683e29 (diff) | |
| download | ffmpeg-8cade1352bde1a1d4da70fc16a722a4fa7d2edc7.tar.gz | |
lavf: make av_probe_input_buffer more robust
Always use the actually read size as the offset instead of making
possibly invalid assumptions.
Addresses: CVE-2012-6618
(cherry picked from commit 2115a3597457231a6e5c0527fe0ff8550f64b733)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavformat/utils.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8575f5362f98c937758b20ff8512d6767a56208e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Diffstat (limited to 'libavformat')
| -rw-r--r-- | libavformat/utils.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/libavformat/utils.c b/libavformat/utils.c index 7065b2f004..64a0b04ea0 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -514,7 +514,6 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt; probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) { int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0; - int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1; if (probe_size < offset) { continue; @@ -522,7 +521,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, /* read probe data */ buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE); - if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) { + if ((ret = avio_read(pb, buf + pd.buf_size, probe_size - pd.buf_size)) < 0) { /* fail if error was not end of file, otherwise, lower score */ if (ret != AVERROR_EOF) { av_free(buf); |