[FFmpeg-devel] [PATCH] Fix 'while' loop condition to prevent movtext crashes by tracking packet size
Niklesh Lalwani
niklesh.lalwani at iitb.ac.in
Sun May 17 18:06:42 CEST 2015
From: Niklesh <niklesh.lalwani at iitb.ac.in>
Hi all,
This patch fixes some movtext crashes caused due to incorrect 'while' loop condition. I will post several other patches to improve upon the code and null pointer dereferences once this is applied.
Signed-off-by: Niklesh <niklesh.lalwani at iitb.ac.in>
---
libavcodec/movtextdec.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c
index 3059599..d03a188 100644
--- a/libavcodec/movtextdec.c
+++ b/libavcodec/movtextdec.c
@@ -96,7 +96,7 @@ static int mov_text_decode_frame(AVCodecContext *avctx,
char *ptr = avpkt->data;
char *end;
//char *ptr_temp;
- int text_length, tsmb_type, style_entries, tsmb_size;
+ int text_length, tsmb_type, style_entries, tsmb_size, tracksize;
int **style_start = {0,};
int **style_end = {0,};
int **style_flags = {0,};
@@ -135,11 +135,12 @@ static int mov_text_decode_frame(AVCodecContext *avctx,
(AVRational){1,100});
tsmb_size = 0;
+ tracksize = 2 + text_length;
// Note that the spec recommends lines be no longer than 2048 characters.
av_bprint_init(&buf, 0, AV_BPRINT_SIZE_UNLIMITED);
if (text_length + 2 != avpkt->size) {
- while (text_length + 2 + tsmb_size < avpkt->size) {
- tsmb = ptr + text_length + tsmb_size;
+ while (tracksize < avpkt->size) {
+ tsmb = ptr + tracksize -2;
tsmb_size = AV_RB32(tsmb);
tsmb += 4;
tsmb_type = AV_RB32(tsmb);
@@ -176,6 +177,7 @@ static int mov_text_decode_frame(AVCodecContext *avctx,
av_freep(&style_end);
av_freep(&style_flags);
}
+ tracksize = tracksize + tsmb_size;
}
} else
text_to_ass(&buf, ptr, end, NULL, NULL, 0, 0);
--
1.9.1
More information about the ffmpeg-devel
mailing list