On Wed, May 25, 2016 at 01:01:27PM +0300, Andriy Lysnevych wrote: > You are right. Please review updated patch.
> avpacket.c | 19 ++++++++++++------- > 1 file changed, 12 insertions(+), 7 deletions(-) > 44aa8ad5f855c68cbed7da06dbf2be888ede301d > 0001-Respect-payload-offset-in-av_grow_packet.patch > From 62b31fa4b05fc600eada4fb28b352e5b87bd60f8 Mon Sep 17 00:00:00 2001 > From: Andriy Lysnevych <[email protected]> > Date: Wed, 25 May 2016 12:55:39 +0300 > Subject: [PATCH] Respect payload offset in av_grow_packet > > --- > libavcodec/avpacket.c | 19 ++++++++++++------- > 1 file changed, 12 insertions(+), 7 deletions(-) > > diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c > index bcc7c79..68b5202 100644 > --- a/libavcodec/avpacket.c > +++ b/libavcodec/avpacket.c > @@ -110,24 +110,29 @@ int av_grow_packet(AVPacket *pkt, int grow_by) > { > int new_size; > av_assert0((unsigned)pkt->size <= INT_MAX - > AV_INPUT_BUFFER_PADDING_SIZE); > - if (!pkt->size) > - return av_new_packet(pkt, grow_by); > if ((unsigned)grow_by > > INT_MAX - (pkt->size + AV_INPUT_BUFFER_PADDING_SIZE)) > return -1; > > new_size = pkt->size + grow_by + AV_INPUT_BUFFER_PADDING_SIZE; > if (pkt->buf) { > - int ret = av_buffer_realloc(&pkt->buf, new_size); > - if (ret < 0) > - return ret; > + int data_offset = pkt->data - pkt->buf->data; > + if ((unsigned)data_offset > INT_MAX - new_size) > + return -1; data_offset should probably be size_t, thats also what offsetof() would give a pointer difference can be larger than INT_MAX also please add a av_assert0 that pkt->data is not NULL or handle that case as pkt->size can be 0 iam not sure pkt->data is guranteed to be non null [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB While the State exists there can be no freedom; when there is freedom there will be no State. -- Vladimir Lenin
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list [email protected] http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
