[FFmpeg-devel] [PATCH] find_info_tag: Make sure the output buffer is null terminated

Tue Oct 5 21:34:18 CEST 2010

On Tue, 5 Oct 2010, Ronald S. Bultje wrote:

> On Tue, Oct 5, 2010 at 3:28 PM, Martin Storsj? <martin at martin.st> wrote:
> > On Tue, 5 Oct 2010, Ronald S. Bultje wrote:
> >> On Tue, Oct 5, 2010 at 9:24 AM, Martin Storsjo <martin at martin.st> wrote:
> >> > Currently, a tag without a = character makes the function return 1
> >> > but leaves the arg buffer untouched (and thus not null terminated).
> >> > ---
> >> > ?libavformat/utils.c | ? ?2 +-
> >> > ?1 files changed, 1 insertions(+), 1 deletions(-)
> >> >
> >> > diff --git a/libavformat/utils.c b/libavformat/utils.c
> >> > index 5985511..a545a5d 100644
> >> > --- a/libavformat/utils.c
> >> > +++ b/libavformat/utils.c
> >> > @@ -3361,8 +3361,8 @@ int find_info_tag(char *arg, int arg_size, const char *tag1, const char *info)
> >> > ? ? ? ? ? ? ? ? }
> >> > ? ? ? ? ? ? ? ? p++;
> >> > ? ? ? ? ? ? }
> >> > - ? ? ? ? ? ?*q = '\0';
> >> > ? ? ? ? }
> >> > + ? ? ? ?*q = '\0';
> >> > ? ? ? ? if (!strcmp(tag, tag1))
> >> > ? ? ? ? ? ? return 1;
> >> > ? ? ? ? if (*p != '&')
> >> [..]
> >> ? ? ? ? *q = '\0'; <----------- !!!!!
> >> ? ? ? ? q = arg;
> >> ? ? ? ? if (*p == '=') {
> >> ? ? ? ? ? ? p++;
> >> ? ? ? ? ? ? while (*p != '&' && *p != '\0') {
> >> ? ? ? ? ? ? ? ? if ((q - arg) < arg_size - 1) {
> >> ? ? ? ? ? ? ? ? ? ? if (*p == '+')
> >> ? ? ? ? ? ? ? ? ? ? ? ? *q++ = ' ';
> >> ? ? ? ? ? ? ? ? ? ? else
> >> ? ? ? ? ? ? ? ? ? ? ? ? *q++ = *p;
> >> ? ? ? ? ? ? ? ? }
> >> ? ? ? ? ? ? ? ? p++;
> >> ? ? ? ? ? ? }
> >> ? ? ? ? ? ? *q = '\0';
> >> ? ? ? ? }
> >>
> >> I don't think this is an actual issue... ?
> >
> > Yes, it's an actual issue. q initially points to the tag array, then is
> > below that line is set to point at arg. If the *p == '=' branch isn't
> > taken, nothing is written into arg, while still returning 1.
> 
> Oh right, I'm smoking weird stuff lately. Not sure how I missed it.
> 
> Patch ok.

Good, applied.

// Martin