tor 2018-03-01 klockan 22:41 +0100 skrev Marton Balint:
> > Signed-off-by: Marton Balint <[email protected]>
> ---
> libavformat/mxfdec.c | 22 ++++++++++++++--------
> 1 file changed, 14 insertions(+), 8 deletions(-)
>
> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> index d4291f5dc7..70091e0dc9 100644
> --- a/libavformat/mxfdec.c
> +++ b/libavformat/mxfdec.c
> @@ -1347,24 +1347,30 @@ static int mxf_get_sorted_table_segments(MXFContext
> *mxf, int *nb_sorted_segment
> */
> static int mxf_absolute_bodysid_offset(MXFContext *mxf, int body_sid,
> int64_t offset, int64_t *offset_out)
> {
> - int x;
> MXFPartition *last_p = NULL;
> + int a, b, m, m0;
>
> if (offset < 0)
> return AVERROR(EINVAL);
>
> - for (x = 0; x < mxf->partitions_count; x++) {
> - MXFPartition *p = &mxf->partitions[x];
> + a = -1;
I've got a bad feeling about this -1
> + b = mxf->partitions_count;
>
> - if (p->body_sid != body_sid)
> - continue;
> + while (b - a > 1) {
> + m0 = m = (a + b) >> 1;
Could overflow with a specially crafted file. But I guess it would have
to be on the order of 1 TiB.
It also looks like this might behave incorrectly when a=-1, b=0
>
> - if (p->body_offset > offset)
> - break;
> + while (m < b && mxf->partitions[m].body_sid != body_sid)
> + m++;
>
> - last_p = p;
> + if (m < b && mxf->partitions[m].body_offset <= offset)
> + a = m;
> + else
> + b = m0;
> }
>
> + if (a >= 0)
> + last_p = &mxf->partitions[a];
> +
> if (last_p && (!last_p->essence_length || last_p->essence_length >
> (offset - last_p->body_offset))) {
> *offset_out = last_p->essence_offset + (offset -
> last_p->body_offset);
> return 0;
/Tomas
_______________________________________________
ffmpeg-devel mailing list
[email protected]
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
