From: Nicolas George <[email protected]> The previous code computes the offset by reversing the growth of the allocated buffer size: it is complex and did lead to inconsistencies when the size limit is reached.
Fix trac ticket #1991. (cherry picked from commit 03847eb8259291b4ff1bd840bd779d0699d71f96) (cherry picked from commit e74cd2f4706f71da5e9205003c1d8263b54ed3fb) Addresses: CVE-2012-6618 CC:[email protected] Signed-off-by: Reinhard Tartler <[email protected]> --- libavformat/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 031fa3b..51ebed7 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -244,7 +244,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, { AVProbeData pd = { filename ? filename : "", NULL, -offset }; unsigned char *buf = NULL; - int ret = 0, probe_size; + int ret = 0, probe_size, buf_offset = 0; if (!max_probe_size) { max_probe_size = PROBE_BUF_MAX; @@ -279,7 +279,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, score = 0; ret = 0; /* error was end of file, nothing read */ } - pd.buf_size += ret; + pd.buf_size = buf_offset += ret; pd.buf = &buf[offset]; memset(pd.buf + pd.buf_size, 0, AVPROBE_PADDING_SIZE); -- 1.8.1.2 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
