From: Limin Wang <lance.lmw...@gmail.com>
Or it'll cause null pointer dereference if size < sizeof(uint32_t), also
in case tc[0] > 3, the code will report error directly.
Signed-off-by: Limin Wang <lance.lmw...@gmail.com>
---
libavfilter/vf_showinfo.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libavfilter/vf_showinfo.c b/libavfilter/vf_showinfo.c
index d7ee677..1634f68 100644
--- a/libavfilter/vf_showinfo.c
+++ b/libavfilter/vf_showinfo.c
@@ -365,15 +365,15 @@ static int filter_frame(AVFilterLink *inlink, AVFrame
*frame)
break;
case AV_FRAME_DATA_S12M_TIMECODE: {
uint32_t *tc = (uint32_t*)sd->data;
- int m = FFMIN(tc[0],3);
- if (sd->size != 16) {
+
+ if ((sd->size != sizeof(uint32_t) * 4) || (tc[0] > 3)) {
av_log(ctx, AV_LOG_ERROR, "invalid data\n");
break;
}
- for (int j = 1; j <= m; j++) {
+ for (int j = 1; j <= tc[0]; j++) {
char tcbuf[AV_TIMECODE_STR_SIZE];
av_timecode_make_smpte_tc_string(tcbuf, tc[j], 0);
- av_log(ctx, AV_LOG_INFO, "timecode - %s%s", tcbuf, j != m ? ",
" : "");
+ av_log(ctx, AV_LOG_INFO, "timecode - %s%s", tcbuf, j != tc[0]
? ", " : "");
}
break;
}
--
1.8.3.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
