On 12/01/14 17:53, Reinhard Tartler wrote:
> From: Nicolas George <[email protected]>
>
> The previous code computes the offset by reversing the growth
> of the allocated buffer size: it is complex and did lead to
> inconsistencies when the size limit is reached.
>
> Fix trac ticket #1991.
> (cherry picked from commit 03847eb8259291b4ff1bd840bd779d0699d71f96)
> (cherry picked from commit e74cd2f4706f71da5e9205003c1d8263b54ed3fb)
>
> Addresses: CVE-2012-6618
> CC:[email protected]
> Signed-off-by: Reinhard Tartler <[email protected]>
The commit message would enjoy some work.
> ---
> libavformat/utils.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libavformat/utils.c b/libavformat/utils.c
> index 031fa3b..51ebed7 100644
> --- a/libavformat/utils.c
> +++ b/libavformat/utils.c
> @@ -244,7 +244,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat
> **fmt,
> {
> AVProbeData pd = { filename ? filename : "", NULL, -offset };
> unsigned char *buf = NULL;
> - int ret = 0, probe_size;
> + int ret = 0, probe_size, buf_offset = 0;
>
> if (!max_probe_size) {
> max_probe_size = PROBE_BUF_MAX;
> @@ -279,7 +279,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat
> **fmt,
> score = 0;
> ret = 0; /* error was end of file, nothing read */
> }
> - pd.buf_size += ret;
> + pd.buf_size = buf_offset += ret;
Too terse IMHO.
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
