[FFmpeg-devel] [PATCH] ac3_probe input buffer overrun

[Michael Niedermayer]

Hi

On Sat, Sep 01, 2007 at 01:02:37PM -0000, Wolfram Gloger wrote:
> > Not that I can find any current valgrind bug reports like that,
> > but in this case the memory is quite definitely uninitialized:
> 
> I meant: "the used memory is quite definitely uninitialized".
> 
> > --- ffmpeg-wg/libavformat/utils.c~	2007-08-30 23:45:32.000000000 +0200
> > +++ ffmpeg-wg/libavformat/utils.c	2007-09-01 13:00:15.000000000 +0200
> > @@ -445,6 +445,7 @@
> >              /* read probe data */
> >              pd->buf= av_realloc(pd->buf, probe_size + AVPROBE_PADDING_SIZE);
> >              pd->buf_size = get_buffer(pb, pd->buf, probe_size);
> > +            memset(pd->buf + pd->buf_size, 0, AVPROBE_PADDING_SIZE); 
> >              if (url_fseek(pb, 0, SEEK_SET) < 0) {
> >                  url_fclose(pb);
> >                  if (url_fopen(pb, filename, URL_RDONLY) < 0) {
> > 
> > should fix it too and could of course replace my patch.
> 
> .. and this is unsufficient.  There is another case where the probe buffer
> isn't even properly extended.  New patch attached.

patch ok

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I count him braver who overcomes his desires than him who conquers his
enemies for the hardest victory is over self. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070901/1c1430bf/attachment.pgp>