[FFmpeg-cvslog] avformat/ac3dec: Check buf2 before adding 16 in ac3_eac3_probe()
Michael Niedermayer
git at videolan.org
Sat Oct 28 21:28:24 EEST 2017
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat Oct 28 16:16:46 2017 +0200| [eb54efc1e1aafe18d0a8a0c72a78314645bccc83] | committer: Michael Niedermayer
avformat/ac3dec: Check buf2 before adding 16 in ac3_eac3_probe()
This is needed since e0250cf3651e6417e0117486a7816b45fb2d34cd as that uses end-buf2
Note, there are more than 16 bytes allocated beyond "end"
Fixes: regression (segfault) with probetest
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eb54efc1e1aafe18d0a8a0c72a78314645bccc83
---
libavformat/ac3dec.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libavformat/ac3dec.c b/libavformat/ac3dec.c
index 8ea73824a6..6f423ff7eb 100644
--- a/libavformat/ac3dec.c
+++ b/libavformat/ac3dec.c
@@ -47,8 +47,11 @@ static int ac3_eac3_probe(AVProbeData *p, enum AVCodecID expected_codec_id)
uint16_t frame_size;
int i, ret;
- if(!memcmp(buf2, "\x1\x10\0\0\0\0\0\0", 8))
+ if(!memcmp(buf2, "\x1\x10\0\0\0\0\0\0", 8)) {
+ if (buf2 + 16 > end)
+ break;
buf2+=16;
+ }
if (buf[0] == 0x77 && buf[1] == 0x0B) {
for(i=0; i<8; i+=2) {
buf3[i ] = buf2[i+1];
More information about the ffmpeg-cvslog
mailing list