[FFmpeg-cvslog] avformat/mpegts: Limit copied data to space

Michael Niedermayer git at videolan.org
Sat Nov 7 21:11:26 EET 2020


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Wed Nov  4 01:06:47 2020 +0100| [79cf7c71910a69b9f22b3e7ee6508a771262abaf] | committer: Michael Niedermayer

avformat/mpegts: Limit copied data to space

Fixes: out of array access
Fixes: 26816/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-6282861159907328.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Marton Balint <cus at passwd.hu>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79cf7c71910a69b9f22b3e7ee6508a771262abaf
---

 libavformat/mpegts.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index ebb09991dc..80d010db6c 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -3169,7 +3169,7 @@ static int mpegts_raw_read_packet(AVFormatContext *s, AVPacket *pkt)
         return ret;
     }
     if (data != pkt->data)
-        memcpy(pkt->data, data, ts->raw_packet_size);
+        memcpy(pkt->data, data, TS_PACKET_SIZE);
     finished_reading_packet(s, ts->raw_packet_size);
     if (ts->mpeg2ts_compute_pcr) {
         /* compute exact PCR for each packet */



More information about the ffmpeg-cvslog mailing list