[Ffmpeg-devel] [patch] libavcodec/mpeg12.c:find_start_code() off by one
Michael Niedermayer
michaelni
Tue Jan 10 22:48:19 CET 2006
Hi
On Tue, Jan 10, 2006 at 10:24:59AM -0800, Jim Westfall wrote:
> Hi
>
> There is an off by one error in find_start_code that can/does trigger a
> segfault within mpeg1_decode_picture() because its getting passed -1 as
> the input_size.
>
> static int find_start_code(const uint8_t **pbuf_ptr, const uint8_t *buf_end)
> {
> const uint8_t *buf_ptr= *pbuf_ptr;
>
> buf_ptr++; //gurantees that -1 is within the array
> buf_end -= 2; // gurantees that +2 is within the array
>
> while (buf_ptr < buf_end) {
> if(*buf_ptr==0){
> while(buf_ptr < buf_end && buf_ptr[1]==0)
> buf_ptr++;
>
> if(buf_ptr[-1] == 0 && buf_ptr[1] == 1){
> *pbuf_ptr = buf_ptr+3;
> return buf_ptr[2] + 0x100;
> }
> }
> buf_ptr += 2;
> }
>
> If the inner while loop fails because buf_ptr == buf_end, and the
> following if statement is true, the code will set *pbuf_ptr = buf_ptr+3
> which is 1 byte past the real end of the buffer (buf_end+2).
patch looks ok, can be applied if the regression tests pass
[...]
--
Michael
More information about the ffmpeg-devel
mailing list