avc_find_startcode_internal() would subtract 6 from a pointer
(representing the end of a buffer) without checking whether the buffer
was actually large enough; but pointer arithmetic is undefined except
when one stays in the buffer.
Signed-off-by: Andreas Rheinhardt <andreas.rheinha...@gmail.com>
---
libavformat/avc.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/libavformat/avc.c b/libavformat/avc.c
index 55494eb08a..cc92fb1038 100644
--- a/libavformat/avc.c
+++ b/libavformat/avc.c
@@ -44,14 +44,15 @@ static inline unsigned get_ue_golomb(GetBitContext *gb)
static const uint8_t *avc_find_startcode_internal(const uint8_t *p, const
uint8_t *end)
{
- const uint8_t *a = p + 4 - ((intptr_t)p & 3);
+ if (end - p <= 5)
+ goto rest;
- for (end -= 3; p < a && p < end; p++) {
+ for (; (uintptr_t)p & 3; p++) {
if (p[0] == 0 && p[1] == 0 && p[2] == 1)
return p;
}
- for (end -= 3; p < end; p += 4) {
+ for (end -= 6; p < end; p += 4) {
uint32_t x = *(const uint32_t*)p;
// if ((x - 0x01000100) & (~x) & 0x80008000) // little endian
// if ((x - 0x00010001) & (~x) & 0x00800080) // big endian
@@ -70,13 +71,15 @@ static const uint8_t *avc_find_startcode_internal(const
uint8_t *p, const uint8_
}
}
}
+ end += 6;
- for (end += 3; p < end; p++) {
+rest:
+ for (; end - p > 3; p++) {
if (p[0] == 0 && p[1] == 0 && p[2] == 1)
return p;
}
- return end + 3;
+ return end;
}
const uint8_t *ff_avc_find_startcode(const uint8_t *p, const uint8_t *end){
--
2.20.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
