From: Nicolas George <[email protected]> Avoid inconsistencies when the size limit is reached.
Fix trac ticket #1991. (cherry picked from commit e74cd2f4706f71da5e9205003c1d8263b54ed3fb) Addresses: CVE-2012-6618 CC:[email protected] Signed-off-by: Reinhard Tartler <[email protected]> --- libavformat/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 031fa3b..2b2d54f 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -244,7 +244,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, { AVProbeData pd = { filename ? filename : "", NULL, -offset }; unsigned char *buf = NULL; - int ret = 0, probe_size; + int ret = 0, probe_size, buf_offset = 0; if (!max_probe_size) { max_probe_size = PROBE_BUF_MAX; @@ -279,7 +279,8 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, score = 0; ret = 0; /* error was end of file, nothing read */ } - pd.buf_size += ret; + buf_offset += ret; + pd.buf_size = buf_offset; pd.buf = &buf[offset]; memset(pd.buf + pd.buf_size, 0, AVPROBE_PADDING_SIZE); -- 1.8.1.2 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
