[FFmpeg-cvslog] asfdec: dont truncate type 2-5 values
Michael Niedermayer
git at videolan.org
Tue Mar 5 22:36:27 CET 2013
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Tue Mar 5 21:56:46 2013 +0100| [d9293648147013403de729958ea4c19a5b6c40e4] | committer: Michael Niedermayer
asfdec: dont truncate type 2-5 values
Fixes use of uninitialized variables and possible out of array accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d9293648147013403de729958ea4c19a5b6c40e4
---
libavformat/asfdec.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index 38f46a6..de42b45 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -278,11 +278,12 @@ static void get_tag(AVFormatContext *s, const char *key, int type, int len, int
{
char *value;
int64_t off = avio_tell(s->pb);
+#define LEN 22
- if ((unsigned)len >= (UINT_MAX - 1) / 2)
+ if ((unsigned)len >= (UINT_MAX - LEN) / 2)
return;
- value = av_malloc(2 * len + 1);
+ value = av_malloc(2 * len + LEN);
if (!value)
goto finish;
@@ -302,7 +303,7 @@ static void get_tag(AVFormatContext *s, const char *key, int type, int len, int
goto finish;
} else if (type > 1 && type <= 5) { // boolean or DWORD or QWORD or WORD
uint64_t num = get_value(s->pb, type, type2_size);
- snprintf(value, len, "%"PRIu64, num);
+ snprintf(value, LEN, "%"PRIu64, num);
} else if (type == 6) { // (don't) handle GUID
av_log(s, AV_LOG_DEBUG, "Unsupported GUID value in tag %s.\n", key);
goto finish;
More information about the ffmpeg-cvslog
mailing list