[FFmpeg-devel] [PATCH] find_info_tag: Make sure the output buffer is null terminated

[Ronald S. Bultje]

Hi,

On Tue, Oct 5, 2010 at 3:28 PM, Martin Storsj? <martin at martin.st> wrote:
> On Tue, 5 Oct 2010, Ronald S. Bultje wrote:
>> On Tue, Oct 5, 2010 at 9:24 AM, Martin Storsjo <martin at martin.st> wrote:
>> > Currently, a tag without a = character makes the function return 1
>> > but leaves the arg buffer untouched (and thus not null terminated).
>> > ---
>> > ?libavformat/utils.c | ? ?2 +-
>> > ?1 files changed, 1 insertions(+), 1 deletions(-)
>> >
>> > diff --git a/libavformat/utils.c b/libavformat/utils.c
>> > index 5985511..a545a5d 100644
>> > --- a/libavformat/utils.c
>> > +++ b/libavformat/utils.c
>> > @@ -3361,8 +3361,8 @@ int find_info_tag(char *arg, int arg_size, const char *tag1, const char *info)
>> > ? ? ? ? ? ? ? ? }
>> > ? ? ? ? ? ? ? ? p++;
>> > ? ? ? ? ? ? }
>> > - ? ? ? ? ? ?*q = '\0';
>> > ? ? ? ? }
>> > + ? ? ? ?*q = '\0';
>> > ? ? ? ? if (!strcmp(tag, tag1))
>> > ? ? ? ? ? ? return 1;
>> > ? ? ? ? if (*p != '&')
>> [..]
>> ? ? ? ? *q = '\0'; <----------- !!!!!
>> ? ? ? ? q = arg;
>> ? ? ? ? if (*p == '=') {
>> ? ? ? ? ? ? p++;
>> ? ? ? ? ? ? while (*p != '&' && *p != '\0') {
>> ? ? ? ? ? ? ? ? if ((q - arg) < arg_size - 1) {
>> ? ? ? ? ? ? ? ? ? ? if (*p == '+')
>> ? ? ? ? ? ? ? ? ? ? ? ? *q++ = ' ';
>> ? ? ? ? ? ? ? ? ? ? else
>> ? ? ? ? ? ? ? ? ? ? ? ? *q++ = *p;
>> ? ? ? ? ? ? ? ? }
>> ? ? ? ? ? ? ? ? p++;
>> ? ? ? ? ? ? }
>> ? ? ? ? ? ? *q = '\0';
>> ? ? ? ? }
>>
>> I don't think this is an actual issue... ?
>
> Yes, it's an actual issue. q initially points to the tag array, then is
> below that line is set to point at arg. If the *p == '=' branch isn't
> taken, nothing is written into arg, while still returning 1.

Oh right, I'm smoking weird stuff lately. Not sure how I missed it.

Patch ok.

Ronald