[FFmpeg-cvslog] avformat/dashdec: Allocate space for appended "/"

Michael Niedermayer git at videolan.org
Mon Aug 4 23:57:41 EEST 2025 

ffmpeg | branch: release/7.0 | Michael Niedermayer <michael at niedermayer.cc> | Mon Jul 28 23:41:56 2025 +0200| [cc6371d48d10f90571b40eb9680ce7198c4b4532] | committer: Michael Niedermayer

avformat/dashdec: Allocate space for appended "/"

Fixes: writing 1 byte over the end of the array
Fixes: BIGSLEEP-433502298/test.xml

Found-by: Google Big Sleep

A prettier solution is welcome!
A testcase exists only for the baseurl case

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit ce0a655f85c1144d19a4acad59afbb92e4997e30)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc6371d48d10f90571b40eb9680ce7198c4b4532
---

 libavformat/dashdec.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
index 5909677bf1..3e5a39c781 100644
--- a/libavformat/dashdec.c
+++ b/libavformat/dashdec.c
@@ -734,7 +734,7 @@ static int resolve_content_path(AVFormatContext *s, const char *url, int *max_ur
     }
 
     tmp_max_url_size = aligned(tmp_max_url_size);
-    text = av_mallocz(tmp_max_url_size);
+    text = av_mallocz(tmp_max_url_size + 1);
     if (!text) {
         updated = AVERROR(ENOMEM);
         goto end;
@@ -746,7 +746,7 @@ static int resolve_content_path(AVFormatContext *s, const char *url, int *max_ur
     }
     av_free(text);
 
-    path = av_mallocz(tmp_max_url_size);
+    path = av_mallocz(tmp_max_url_size + 2);
     tmp_str = av_mallocz(tmp_max_url_size);
     if (!tmp_str || !path) {
         updated = AVERROR(ENOMEM);
@@ -768,6 +768,15 @@ static int resolve_content_path(AVFormatContext *s, const char *url, int *max_ur
 
     node = baseurl_nodes[rootId];
     baseurl = xmlNodeGetContent(node);
+    if (baseurl) {
+        size_t len = xmlStrlen(baseurl)+2;
+        char *tmp = xmlRealloc(baseurl, len);
+        if (!tmp) {
+            updated = AVERROR(ENOMEM);
+            goto end;
+        }
+        baseurl = tmp;
+    }
     root_url = (av_strcasecmp(baseurl, "")) ? baseurl : path;
     if (node) {
         xmlNodeSetContent(node, root_url);

More information about the ffmpeg-cvslog mailing list