On Mon, Feb 08, 2021 at 02:25:50PM +0100, Michael Niedermayer wrote:
> On Sat, Feb 06, 2021 at 11:33:38AM -0800, Chad Fraleigh wrote:
> > On 2/6/2021 9:22 AM, Michael Niedermayer wrote:
> > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
> > > ---
> > > libavformat/mov.c | 5 +++++
> > > 1 file changed, 5 insertions(+)
> > >
> > > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > > index 9406e42f49..70f76caff5 100644
> > > --- a/libavformat/mov.c
> > > +++ b/libavformat/mov.c
> > > @@ -7113,6 +7113,11 @@ static int mov_probe(const AVProbeData *p)
> > > if ((offset + 8) > (unsigned int)p->buf_size)
> > > break;
> > > size = AV_RB32(p->buf + offset);
> > > + if (size == 1 && offset + 16 > (unsigned int)p->buf_size) {
> > > + size = AV_RB64(p->buf+offset + 8);
> >
> > Just curious, what happens when size == 1 and the buffer is too small? Is
> > leaving it as a size of 1 still valid, or should it be handled as a format
> > error (e.g. abort the loop)?
>
> The buffer must have a minimum padding of AVPROBE_PADDING_SIZE
> so the buffer cannot be too small. This extra padding requirement is
> there for exactly cases like this, otherwise alot more checks would be
> needed in many probe functionswill apply [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB There will always be a question for which you do not know the correct answer.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
