[FFmpeg-cvslog] aviobuf: Write new data at s->buf_end in fill_buffer

Martin Storsjö git
Thu Mar 3 18:23:05 CET 2011

ffmpeg | branch: master | Martin Storsj? <martin at martin.st> | Sun Feb 27 01:02:32 2011 +0200| [62d0a7453af12e9e7880dd08d4dafe20374625c1] | committer: Michael Niedermayer

aviobuf: Write new data at s->buf_end in fill_buffer

In most cases, s->buf_ptr will be equal to s->buf_end when
fill_buffer is called, but this may not always be the case, if
we're seeking forward by reading (permitted by the short seek

If fill_buffer is writing to s->buf_ptr instead of s->buf_end (when
they aren't equal and s->buf_ptr is ahead of s->buffer), the data
between s->buf_ptr and s->buf_end is overwritten, leading to
inconsistent buffer content. This could return incorrect data if
later seeking back into the area before the current s->buf_ptr.

Signed-off-by: Luca Barbato <lu_zero at gentoo.org>
(cherry picked from commit e360ada2d13af36ab7afd9ebcd2bd236d23d9b96)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=62d0a7453af12e9e7880dd08d4dafe20374625c1

 libavformat/aviobuf.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index 0c733a7..3f3721c 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -468,7 +468,7 @@ void put_tag(AVIOContext *s, const char *tag)
 static void fill_buffer(AVIOContext *s)
-    uint8_t *dst= !s->max_packet_size && s->buf_end - s->buffer < s->buffer_size ? s->buf_ptr : s->buffer;
+    uint8_t *dst= !s->max_packet_size && s->buf_end - s->buffer < s->buffer_size ? s->buf_end : s->buffer;
     int len= s->buffer_size - (dst - s->buffer);
     int max_buffer_size = s->max_packet_size ? s->max_packet_size : IO_BUFFER_SIZE;

More information about the ffmpeg-cvslog mailing list