[FFmpeg-devel] MPEG-PS demuxer index memory usage
Måns Rullgård
mans
Fri Jan 4 22:18:42 CET 2008
Paul Kelly <paul at stjohnspoint.co.uk> writes:
> On Fri, 4 Jan 2008, Paul Kelly wrote:
>
>> While looking at av_add_index_entry() in depth
> [...]
>
> I've come across something (see memmove() usage in attached patch)
> that looks very much to me like a bug - I find it hard to believe such
> a bug could have existed for so long but I know I'm going to waste
> hours rationalising it to myself if I don't dump it here now so
> apologies if I'm wasting the list's time...
>
> Basically the memmove() looks to me like it's only shifting the array
> of index entries up by 1 byte but then inserting a whole AVIndexEntry,
> resulting in corruption of the index table.
>
> Paul
>
> Index: libavformat/utils.c
> ===================================================================
> --- libavformat/utils.c (revision 11408)
> +++ libavformat/utils.c (working copy)
> @@ -1037,7 +1037,7 @@
> if(ie->timestamp != timestamp){
> if(ie->timestamp <= timestamp)
> return -1;
> - memmove(entries + index + 1, entries + index, sizeof(AVIndexEntry)*(st->nb_index_entries - index));
> + memmove(&entries[index + 1], &entries[index], sizeof(AVIndexEntry)*(st->nb_index_entries - index));
Those two lines are exactly equivalent. In C, the construct a[b] can
always be replaced by ((a) + (b)) and conversely. This means that the
first argument to the above memmove() call could be written
&index[entries]+1, or even &1[entries]+index, should one feel thusly
inclined.
--
M?ns Rullg?rd
mans at mansr.com
More information about the ffmpeg-devel
mailing list