[FFmpeg-devel] [PATCH 2/3] cafdec: prevent overreading the info chunk
Michael Niedermayer
michaelni
Thu Mar 3 14:04:43 CET 2011
On Thu, Mar 03, 2011 at 01:51:56PM +0100, Anton Khirnov wrote:
> ---
> libavformat/cafdec.c | 5 +++--
> 1 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
> index d98c4bf..715dfdf 100644
> --- a/libavformat/cafdec.c
> +++ b/libavformat/cafdec.c
> @@ -182,11 +182,12 @@ static void read_info_chunk(AVFormatContext *s, int64_t size)
> AVIOContext *pb = s->pb;
> unsigned int i;
> unsigned int nb_entries = avio_rb32(pb);
> + size -= 4;
> for (i = 0; i < nb_entries; i++) {
> char key[32];
> char value[1024];
> - get_strz(pb, key, sizeof(key));
> - get_strz(pb, value, sizeof(value));
> + size -= avio_get_str(pb, size, key, sizeof(key));
> + size -= avio_get_str(pb, size, value, sizeof(value));
> av_metadata_set2(&s->metadata, key, value, 0);
> }
> }
I really dont belive that for the case where this makes a difference to the
current code that this would be the correct way to handle it
2 strings of 100 bytes in a 102 bytes chunk leads to the second string to be
2 bytes long and silently used without error message
Do you have a sample where this patch makes a difference?
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
I know you won't believe me, but the highest form of Human Excellence is
to question oneself and others. -- Socrates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20110303/bf18a891/attachment.pgp>
More information about the ffmpeg-devel
mailing list