[FFmpeg-devel] [PATCH] avformat/pjsdec: check strcspn values before using them
Michael Niedermayer
michaelni at gmx.at
Fri Jan 10 02:05:47 CET 2014
Fixes use of uninitialized memory
Fixes: msan_uninit-mem_7f91f2de7764_2649_PJS_capability_tester.pjs
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
---
libavformat/pjsdec.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/libavformat/pjsdec.c b/libavformat/pjsdec.c
index a69a316..00866b7 100644
--- a/libavformat/pjsdec.c
+++ b/libavformat/pjsdec.c
@@ -65,6 +65,7 @@ static int pjs_read_header(AVFormatContext *s)
PJSContext *pjs = s->priv_data;
AVStream *st = avformat_new_stream(s, NULL);
int res = 0;
+ int idx;
if (!st)
return AVERROR(ENOMEM);
@@ -83,13 +84,25 @@ static int pjs_read_header(AVFormatContext *s)
if (!len)
break;
- line[strcspn(line, "\r\n")] = 0;
+ idx = strcspn(line, "\r\n");
+ if (!line[idx]) {
+ av_log(s, AV_LOG_ERROR, "missing newline\n");
+ return AVERROR_INVALIDDATA;
+ }
+
+ line[idx] = 0;
pts_start = read_ts(&p, &duration);
if (pts_start != AV_NOPTS_VALUE) {
AVPacket *sub;
- p[strcspn(p, "\"")] = 0;
+ idx = strcspn(p, "\"");
+ if (!p[idx]) {
+ av_log(s, AV_LOG_ERROR, "missing \"\n");
+ return AVERROR_INVALIDDATA;
+ }
+
+ p[idx] = 0;
sub = ff_subtitles_queue_insert(&pjs->q, p, strlen(p), 0);
if (!sub)
return AVERROR(ENOMEM);
--
1.7.9.5
More information about the ffmpeg-devel
mailing list