[FFmpeg-cvslog] avformat/pva: Make sure the first byte of pes_header_data has been initialized

Michael Niedermayer git at videolan.org
Fri Dec 20 23:11:28 CET 2013


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Fri Dec 20 18:07:30 2013 +0100| [5ec3c7b7c1189dca0ba29edbd33b5dbe68313382] | committer: Michael Niedermayer

avformat/pva: Make sure the first byte of pes_header_data has been initialized

Fixes use of uninitialized memory
Fixes: msan_uninit-mem_7f53c1d0e95c_2674_PVA_test-partial.pva
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5ec3c7b7c1189dca0ba29edbd33b5dbe68313382
---

 libavformat/pva.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/libavformat/pva.c b/libavformat/pva.c
index 9b7a40a..635fb72 100644
--- a/libavformat/pva.c
+++ b/libavformat/pva.c
@@ -85,6 +85,7 @@ static int read_part_of_packet(AVFormatContext *s, int64_t *pts,
     PVAContext *pvactx = s->priv_data;
     int syncword, streamid, reserved, flags, length, pts_flag;
     int64_t pva_pts = AV_NOPTS_VALUE, startpos;
+    int ret;
 
 recover:
     startpos = avio_tell(pb);
@@ -133,8 +134,8 @@ recover:
             pes_flags              = avio_rb16(pb);
             pes_header_data_length = avio_r8(pb);
 
-            if (pes_signal != 1) {
-                pva_log(s, AV_LOG_WARNING, "expected signaled PES packet, "
+            if (pes_signal != 1 || pes_header_data_length == 0) {
+                pva_log(s, AV_LOG_WARNING, "expected non empty signaled PES packet, "
                                           "trying to recover\n");
                 avio_skip(pb, length - 9);
                 if (!read_packet)
@@ -142,7 +143,9 @@ recover:
                 goto recover;
             }
 
-            avio_read(pb, pes_header_data, pes_header_data_length);
+            ret = avio_read(pb, pes_header_data, pes_header_data_length);
+            if (ret != pes_header_data_length)
+                return ret < 0 ? ret : AVERROR_INVALIDDATA;
             length -= 9 + pes_header_data_length;
 
             pes_packet_length -= 3 + pes_header_data_length;



More information about the ffmpeg-cvslog mailing list