diff options
| author | Martin Storsjö <martin@martin.st> | 2011-02-27 01:02:32 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-03-03 14:15:09 +0100 |
| commit | 62d0a7453af12e9e7880dd08d4dafe20374625c1 (patch) | |
| tree | 7dad991748d15c90ace7cae62461af5d36146891 /libavformat | |
| parent | cd37308b7774db3fd52ae079844ab0ac8e31fb7d (diff) | |
| download | ffmpeg-62d0a7453af12e9e7880dd08d4dafe20374625c1.tar.gz | |
aviobuf: Write new data at s->buf_end in fill_buffer
In most cases, s->buf_ptr will be equal to s->buf_end when
fill_buffer is called, but this may not always be the case, if
we're seeking forward by reading (permitted by the short seek
threshold).
If fill_buffer is writing to s->buf_ptr instead of s->buf_end (when
they aren't equal and s->buf_ptr is ahead of s->buffer), the data
between s->buf_ptr and s->buf_end is overwritten, leading to
inconsistent buffer content. This could return incorrect data if
later seeking back into the area before the current s->buf_ptr.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit e360ada2d13af36ab7afd9ebcd2bd236d23d9b96)
Diffstat (limited to 'libavformat')
| -rw-r--r-- | libavformat/aviobuf.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 0c733a704b..3f3721c58b 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -468,7 +468,7 @@ void put_tag(AVIOContext *s, const char *tag) static void fill_buffer(AVIOContext *s) { - uint8_t *dst= !s->max_packet_size && s->buf_end - s->buffer < s->buffer_size ? s->buf_ptr : s->buffer; + uint8_t *dst= !s->max_packet_size && s->buf_end - s->buffer < s->buffer_size ? s->buf_end : s->buffer; int len= s->buffer_size - (dst - s->buffer); int max_buffer_size = s->max_packet_size ? s->max_packet_size : IO_BUFFER_SIZE; |