[FFmpeg-devel] [PATCH] Fix heap buffer overflow in ff_combine_frame

Baozeng Ding sploving1 at gmail.com
Tue Jun 26 14:02:38 EEST 2018


Signed-off-by: Baozeng Ding <sploving1 at gmail.com>
---
 libavcodec/parser.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/libavcodec/parser.c b/libavcodec/parser.c
index f43b197..a9786af 100644
--- a/libavcodec/parser.c
+++ b/libavcodec/parser.c
@@ -355,6 +355,7 @@ int ff_combine_frame(ParseContext *pc, int next,
 
     av_assert0(next >= 0 || pc->buffer);
 
+    int origin_buf_size = *buf_size;
     *buf_size          =
     pc->overread_index = pc->index + next;
 
@@ -370,9 +371,12 @@ int ff_combine_frame(ParseContext *pc, int next,
             return AVERROR(ENOMEM);
         }
         pc->buffer = new_buffer;
-        if (next > -AV_INPUT_BUFFER_PADDING_SIZE)
-            memcpy(&pc->buffer[pc->index], *buf,
-                   next + AV_INPUT_BUFFER_PADDING_SIZE);
+        if (next > -AV_INPUT_BUFFER_PADDING_SIZE) {
+            int copy_len = next + AV_INPUT_BUFFER_PADDING_SIZE;
+            if (next + AV_INPUT_BUFFER_PADDING_SIZE > origin_buf_size)
+                copy_len = origin_buf_size;
+            memcpy(&pc->buffer[pc->index], *buf, copy_len);
+        }
         pc->index = 0;
         *buf      = pc->buffer;
     }
-- 
2.7.4



More information about the ffmpeg-devel mailing list