From 151b4947e5d21c418d5316a6d93b5b03f4be4b86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sat, 1 Jun 2013 14:07:24 +0200 Subject: [PATCH] lavc/avpacket: fill padding area on side data split. The padding data is assumed to be 0 in several places, notably in subtitles. This problem was not detected with fate-sub-srt test because the first element of the side data (x1) is 0 in the test, so the trailing side data present in the packet wasn't read by the decoder. The issue can be observed with a large enough x1. It is also noted in FF_INPUT_BUFFER_PADDING_SIZE doxy that MPEG bitstreams require that padding with 0, so it might fix other issues. --- libavcodec/avpacket.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index 198365e3a7..e276c60c2d 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -356,7 +356,7 @@ int av_packet_merge_side_data(AVPacket *pkt){ int av_packet_split_side_data(AVPacket *pkt){ if (!pkt->side_data_elems && pkt->size >12 && AV_RB64(pkt->data + pkt->size - 8) == FF_MERGE_MARKER){ int i; - unsigned int size; + unsigned int size, orig_pktsize = pkt->size; uint8_t *p; p = pkt->data + pkt->size - 8 - 5; @@ -389,6 +389,13 @@ int av_packet_split_side_data(AVPacket *pkt){ p-= size+5; } pkt->size -= 8; + /* FFMIN() prevents overflow in case the packet wasn't allocated with + * proper padding. + * If the side data is smaller than the buffer padding size, the + * remaining bytes should have already been filled with zeros by the + * original packet allocation anyway. */ + memset(pkt->data + pkt->size, 0, + FFMIN(orig_pktsize - pkt->size, FF_INPUT_BUFFER_PADDING_SIZE)); pkt->side_data_elems = i+1; return 1; }