[Ffmpeg-devel] [patch] libavcodec/mpeg12.c:find_start_code() off by one
Benjamin Larsson
banan
Sat Jan 14 19:46:47 CET 2006
Michael Niedermayer wrote:
>Hi
>
>On Tue, Jan 10, 2006 at 10:24:59AM -0800, Jim Westfall wrote:
>
>
>>Hi
>>
>>There is an off by one error in find_start_code that can/does trigger a
>>segfault within mpeg1_decode_picture() because its getting passed -1 as
>>the input_size.
>>
>>static int find_start_code(const uint8_t **pbuf_ptr, const uint8_t *buf_end)
>>{
>> const uint8_t *buf_ptr= *pbuf_ptr;
>>
>> buf_ptr++; //gurantees that -1 is within the array
>> buf_end -= 2; // gurantees that +2 is within the array
>>
>> while (buf_ptr < buf_end) {
>> if(*buf_ptr==0){
>> while(buf_ptr < buf_end && buf_ptr[1]==0)
>> buf_ptr++;
>>
>> if(buf_ptr[-1] == 0 && buf_ptr[1] == 1){
>> *pbuf_ptr = buf_ptr+3;
>> return buf_ptr[2] + 0x100;
>> }
>> }
>> buf_ptr += 2;
>> }
>>
>>If the inner while loop fails because buf_ptr == buf_end, and the
>>following if statement is true, the code will set *pbuf_ptr = buf_ptr+3
>>which is 1 byte past the real end of the buffer (buf_end+2).
>>
>>
>
>patch looks ok, can be applied if the regression tests pass
>
>[...]
>
>
>
Commited.
MvH
Benjamin Larsson
--
"incorrect information" is an oxymoron. Information is, by definition, factual, correct.
More information about the ffmpeg-devel
mailing list