On Fri, 2 Jan 2015, Luca Barbato wrote:
CC: [email protected] ---It is a really ridiculous corner case but happens in real life. libavformat/aviobuf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 6923b78..b7786f7 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -125,8 +125,8 @@ static void flush_buffer(AVIOContext *s) { if (s->buf_ptr > s->buffer) { if (s->write_packet && !s->error) { - int ret = s->write_packet(s->opaque, s->buffer, - s->buf_ptr - s->buffer); + int len = FFMIN(s->buf_ptr - s->buffer, s->buffer_size); + int ret = s->write_packet(s->opaque, s->buffer, len); if (ret < 0) { s->error = ret; } -- 2.1.0
Hmm, looks like a pretty nasty issue if this happens - if this happens I think we might need to add a similar FFMIN() in a number of different places as well. Can you pinpoint where the pointers end up being set out of bounds?
// Martin _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
