diff options
author | Janne Grunau <janne-libav@jannau.net> | 2012-01-03 18:11:36 +0100 |
---|---|---|
committer | Janne Grunau <janne-libav@jannau.net> | 2012-01-04 11:18:24 +0100 |
commit | a2d1d216291fd8c1f4a8b3bad4f0b50c084ba96d (patch) | |
tree | 4c14cc8bfe2ebfa3a6abe64315cddaa1836108b9 /libavformat | |
parent | d209c27b09234cc40bbdbd680aa502b493edf595 (diff) | |
download | ffmpeg-a2d1d216291fd8c1f4a8b3bad4f0b50c084ba96d.tar.gz |
avio: exit early in fill_buffer without read_packet
Fixes an invalid free() with ass in avi. The sample in bug 98 passes
parts of AVPacket.data as buffer for the AVIOContext. Since the packet
is quite large fill_buffer tries to reallocate the buffer before doing
nothing. Fixes bug 98.
Diffstat (limited to 'libavformat')
-rw-r--r-- | libavformat/aviobuf.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 898f35d903..dbbbba5535 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -565,6 +565,10 @@ static void fill_buffer(AVIOContext *s) int len= s->buffer_size - (dst - s->buffer); int max_buffer_size = s->max_packet_size ? s->max_packet_size : IO_BUFFER_SIZE; + /* can't fill the buffer without read_packet, just set EOF if appropiate */ + if (!s->read_packet && s->buf_ptr >= s->buf_end) + s->eof_reached = 1; + /* no need to do anything if EOF already reached */ if (s->eof_reached) return; |