[FFmpeg-devel] [PATCH 2/5] avformat/matroskaenc: fix invalid pointer access if avio_get_dyn_buf failed
Nicolas George
george at nsup.org
Wed Apr 29 18:19:21 EEST 2020
lance.lmwang at gmail.com (12020-04-29):
> From: Limin Wang <lance.lmwang at gmail.com>
>
> Signed-off-by: Limin Wang <lance.lmwang at gmail.com>
> ---
> libavformat/matroskaenc.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c
> index 784973a951..f0474da44f 100644
> --- a/libavformat/matroskaenc.c
> +++ b/libavformat/matroskaenc.c
> @@ -374,9 +374,12 @@ static void end_ebml_master_crc32(AVIOContext *pb, AVIOContext **dyn_cp,
> put_ebml_length(pb, size, length_size);
> if (mkv->write_crc) {
> skip = 6; /* Skip reserved 6-byte long void element from the dynamic buffer. */
> + if (size > skip) {
> AV_WL32(crc, av_crc(av_crc_get_table(AV_CRC_32_IEEE_LE), UINT32_MAX, buf + skip, size - skip) ^ UINT32_MAX);
> put_ebml_binary(pb, EBML_ID_CRC32, crc, sizeof(crc));
> + }
> }
> + if (size > skip)
Same as previous: just skipping the work when the buffer is not big
enough seems broken.
> avio_write(pb, buf + skip, size - skip);
>
> if (keep_buffer) {
Regards,
--
Nicolas George
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20200429/abd884c4/attachment.sig>
More information about the ffmpeg-devel
mailing list