[FFmpeg-devel] [PATCH 5/7] avformat/mpegts: Limit copied data to space

Marton Balint cus at passwd.hu
Thu Nov 5 00:17:53 EET 2020



On Wed, 4 Nov 2020, Michael Niedermayer wrote:

> Fixes: out of array access
> Fixes: 26816/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-6282861159907328.fuzz
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavformat/mpegts.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
> index ebb09991dc..80d010db6c 100644
> --- a/libavformat/mpegts.c
> +++ b/libavformat/mpegts.c
> @@ -3169,7 +3169,7 @@ static int mpegts_raw_read_packet(AVFormatContext *s, AVPacket *pkt)
>         return ret;
>     }
>     if (data != pkt->data)
> -        memcpy(pkt->data, data, ts->raw_packet_size);
> +        memcpy(pkt->data, data, TS_PACKET_SIZE);
>     finished_reading_packet(s, ts->raw_packet_size);
>     if (ts->mpeg2ts_compute_pcr) {
>         /* compute exact PCR for each packet */

LGTM, thanks.

Marton


More information about the ffmpeg-devel mailing list