[Ffmpeg-devel] [PATCH] fix segment fault in h264_parse if buf_size is zero
Michael Niedermayer
michaelni
Tue Apr 10 22:16:12 CEST 2007
Hi
On Mon, Apr 09, 2007 at 09:54:09PM +0800, Limin Wang wrote:
> Hi,
>
> In case buf_size is zero, find_frame_end will return END_NOT_FOUND(-100), if
> read to EOF of file, -next will become 100, and however pc->buf_index is zero,
> so it'll cause buffer underflow by pc->buffer[-100]. It's more easy to
> reproduce by -vcodec copy.
>
>
> Below is the print debug info:
> buf: 0x86cfcb8, last_index: 6779, next: 0
> buf: 0x86cfcb8, last_index: 6253, next: 0
> buf: 0x86cfcb8, last_index: 5851, next: 0
> buf: 0x86cfcb8, last_index: 6121, next: 0
> buf: 0x86cfcb8, last_index: 5732, next: 0
> buf: 0x86cfcb8, last_index: 5220, next: 0
> buf: 0x86cfcb8, last_index: 5587, next: -100
> buf: 0x86cfcb8, last_index: 0, next: -100
>
>
>
> Thanks,
> Limin
> Index: libavcodec/h264.c
> ===================================================================
> --- libavcodec/h264.c (revision 8688)
> +++ libavcodec/h264.c (working copy)
> @@ -8059,7 +8059,7 @@
> return buf_size;
> }
>
> - if(next<0){
> + if(next<0 && pc->last_index+next > 0){
i think the check should rather be next<0 && next != END_NOT_FOUND
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
it is not once nor twice but times without number that the same ideas make
their appearance in the world. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070410/6bb489ef/attachment.pgp>
More information about the ffmpeg-devel
mailing list