[FFmpeg-devel] [PATCH] find_info_tag: Make sure the output buffer is null terminated

Martin Storsjö martin
Tue Oct 5 21:28:43 CEST 2010


On Tue, 5 Oct 2010, Ronald S. Bultje wrote:

> On Tue, Oct 5, 2010 at 9:24 AM, Martin Storsjo <martin at martin.st> wrote:
> > Currently, a tag without a = character makes the function return 1
> > but leaves the arg buffer untouched (and thus not null terminated).
> > ---
> > ?libavformat/utils.c | ? ?2 +-
> > ?1 files changed, 1 insertions(+), 1 deletions(-)
> >
> > diff --git a/libavformat/utils.c b/libavformat/utils.c
> > index 5985511..a545a5d 100644
> > --- a/libavformat/utils.c
> > +++ b/libavformat/utils.c
> > @@ -3361,8 +3361,8 @@ int find_info_tag(char *arg, int arg_size, const char *tag1, const char *info)
> > ? ? ? ? ? ? ? ? }
> > ? ? ? ? ? ? ? ? p++;
> > ? ? ? ? ? ? }
> > - ? ? ? ? ? ?*q = '\0';
> > ? ? ? ? }
> > + ? ? ? ?*q = '\0';
> > ? ? ? ? if (!strcmp(tag, tag1))
> > ? ? ? ? ? ? return 1;
> > ? ? ? ? if (*p != '&')
> [..]
>         *q = '\0'; <----------- !!!!!
>         q = arg;
>         if (*p == '=') {
>             p++;
>             while (*p != '&' && *p != '\0') {
>                 if ((q - arg) < arg_size - 1) {
>                     if (*p == '+')
>                         *q++ = ' ';
>                     else
>                         *q++ = *p;
>                 }
>                 p++;
>             }
>             *q = '\0';
>         }
> 
> I don't think this is an actual issue... ?

Yes, it's an actual issue. q initially points to the tag array, then is 
below that line is set to point at arg. If the *p == '=' branch isn't 
taken, nothing is written into arg, while still returning 1.

// Martin



More information about the ffmpeg-devel mailing list