[FFmpeg-devel] [PATCH] Fix crash in cdxa_probe() when opening HTTP URL

Måns Rullgård mans
Wed Oct 31 23:33:25 CET 2007


Jon Foster <jon at jon-foster.co.uk> writes:

> This patch fixes a crash when calling av_open_input_file() with a http: URL.
> This crash happens because buf is NULL and buf_size is 0, but cdxa_probe()
> dereferences buf without checking.  The patch adds a check that buf_size
> is big enough to contain the signature.
>
> Index: libavformat/mpeg.c
> ===================================================================
> --- libavformat/mpeg.c	(revision 10885)
> +++ libavformat/mpeg.c	(working copy)
> @@ -35,7 +35,8 @@
>   static int cdxa_probe(AVProbeData *p)
>   {
>       /* check file header */
> -    if (p->buf[0] == 'R' && p->buf[1] == 'I' &&
> +    if (p->buf_size >= 8 &&
                          ^
> +        p->buf[0] == 'R' && p->buf[1] == 'I' &&
>           p->buf[2] == 'F' && p->buf[3] == 'F' &&
>           p->buf[8] == 'C' && p->buf[9] == 'D' &&
>           p->buf[10] == 'X' && p->buf[11] == 'A')
                   ^^

The size check isn't quite adequate.

-- 
M?ns Rullg?rd
mans at mansr.com




More information about the ffmpeg-devel mailing list