[FFmpeg-cvslog] lavf: make av_probe_input_buffer more robust
Anton Khirnov
git at videolan.org
Mon Mar 10 18:36:39 CET 2014
ffmpeg | branch: release/0.10 | Anton Khirnov <anton at khirnov.net> | Mon Jan 13 13:47:07 2014 +0100| [8cade1352bde1a1d4da70fc16a722a4fa7d2edc7] | committer: Reinhard Tartler
lavf: make av_probe_input_buffer more robust
Always use the actually read size as the offset instead of making
possibly invalid assumptions.
Addresses: CVE-2012-6618
(cherry picked from commit 2115a3597457231a6e5c0527fe0ff8550f64b733)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
Conflicts:
libavformat/utils.c
Signed-off-by: Anton Khirnov <anton at khirnov.net>
(cherry picked from commit 8575f5362f98c937758b20ff8512d6767a56208e)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8cade1352bde1a1d4da70fc16a722a4fa7d2edc7
---
libavformat/utils.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 7065b2f..64a0b04 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -514,7 +514,6 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt;
probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) {
int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0;
- int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1;
if (probe_size < offset) {
continue;
@@ -522,7 +521,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
/* read probe data */
buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE);
- if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) {
+ if ((ret = avio_read(pb, buf + pd.buf_size, probe_size - pd.buf_size)) < 0) {
/* fail if error was not end of file, otherwise, lower score */
if (ret != AVERROR_EOF) {
av_free(buf);
More information about the ffmpeg-cvslog
mailing list