[Ffmpeg-devel] [PATCH] fix segment fault in h264_parse if buf_size is zero

[Limin Wang]

Hi,

In case buf_size is zero, find_frame_end will return END_NOT_FOUND(-100), if
read to EOF of file, -next will become 100, and however pc->buf_index is zero,
so it'll cause buffer underflow by pc->buffer[-100]. It's more easy to
reproduce by -vcodec copy.


Below is the print debug info:
buf: 0x86cfcb8, last_index: 6779, next: 0
buf: 0x86cfcb8, last_index: 6253, next: 0
buf: 0x86cfcb8, last_index: 5851, next: 0
buf: 0x86cfcb8, last_index: 6121, next: 0
buf: 0x86cfcb8, last_index: 5732, next: 0
buf: 0x86cfcb8, last_index: 5220, next: 0
buf: 0x86cfcb8, last_index: 5587, next: -100
buf: 0x86cfcb8, last_index: 0, next: -100



Thanks,
Limin
-------------- next part --------------
Index: libavcodec/h264.c
===================================================================
--- libavcodec/h264.c	(revision 8688)
+++ libavcodec/h264.c	(working copy)
@@ -8059,7 +8059,7 @@
             return buf_size;
         }
 
-        if(next<0){
+        if(next<0 && pc->last_index+next > 0){
             find_frame_end(h, &pc->buffer[pc->last_index + next], -next); //update state
         }
     }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070409/d732ec87/attachment.pgp>