[FFmpeg-devel] [PATCH] Respect payload offset in av_grow_packet

Michael Niedermayer michael at niedermayer.cc
Wed May 25 13:50:27 CEST 2016 

On Wed, May 25, 2016 at 01:01:27PM +0300, Andriy Lysnevych wrote:
> You are right. Please review updated patch.

>  avpacket.c |   19 ++++++++++++-------
>  1 file changed, 12 insertions(+), 7 deletions(-)
> 44aa8ad5f855c68cbed7da06dbf2be888ede301d  0001-Respect-payload-offset-in-av_grow_packet.patch
> From 62b31fa4b05fc600eada4fb28b352e5b87bd60f8 Mon Sep 17 00:00:00 2001
> From: Andriy Lysnevych <andriy.lysnevych at gmail.com>
> Date: Wed, 25 May 2016 12:55:39 +0300
> Subject: [PATCH] Respect payload offset in av_grow_packet
> 
> ---
>  libavcodec/avpacket.c | 19 ++++++++++++-------
>  1 file changed, 12 insertions(+), 7 deletions(-)
> 
> diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c
> index bcc7c79..68b5202 100644
> --- a/libavcodec/avpacket.c
> +++ b/libavcodec/avpacket.c
> @@ -110,24 +110,29 @@ int av_grow_packet(AVPacket *pkt, int grow_by)
>  {
>      int new_size;
>      av_assert0((unsigned)pkt->size <= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE);
> -    if (!pkt->size)
> -        return av_new_packet(pkt, grow_by);
>      if ((unsigned)grow_by >
>          INT_MAX - (pkt->size + AV_INPUT_BUFFER_PADDING_SIZE))
>          return -1;
>  
>      new_size = pkt->size + grow_by + AV_INPUT_BUFFER_PADDING_SIZE;
>      if (pkt->buf) {
> -        int ret = av_buffer_realloc(&pkt->buf, new_size);
> -        if (ret < 0)
> -            return ret;

> +        int data_offset = pkt->data - pkt->buf->data;
> +        if ((unsigned)data_offset > INT_MAX - new_size)
> +            return -1;

data_offset should probably be size_t, thats also what offsetof() would
give
a pointer difference can be larger than INT_MAX

also please add a av_assert0 that pkt->data is not NULL or handle that
case
as pkt->size can be 0 iam not sure pkt->data is guranteed to be non
null

[...]


-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

While the State exists there can be no freedom; when there is freedom there
will be no State. -- Vladimir Lenin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20160525/fcc18516/attachment.sig>

More information about the ffmpeg-devel mailing list