RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

lavf: make av_probe_input_buffer more robust 

Always use the actually read size as the offset instead of making
possibly invalid assumptions.

Addresses: CVE-2012-6618

(cherry picked from commit 2115a35974)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Conflicts:
	libavformat/utils.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8575f5362f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Anton Khirnov 2014-01-13 13:47:07 +01:00 committed by Reinhard Tartler
parent 5522c564d4
commit 8cade1352b
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
libavformat/utils.c
View File

@ -514,7 +514,6 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt;
probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) {
int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0;
int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1;
if (probe_size < offset) {
continue;
@ -522,7 +521,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
/* read probe data */
buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE);
if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) {
if ((ret = avio_read(pb, buf + pd.buf_size, probe_size - pd.buf_size)) < 0) {
/* fail if error was not end of file, otherwise, lower score */
if (ret != AVERROR_EOF) {
av_free(buf);