On Mon, May 16, 2016 at 12:25:00PM +0300, Andriy Lysnevych wrote: > Sorry, looks like problems with my mail client. Sending patch as attachment.
> avpacket.c | 25 +++++++++++++++----------
> 1 file changed, 15 insertions(+), 10 deletions(-)
> 7afc9ec25e99e6106402207ce30714a3e65a9639
> 0001-Respect-payload-offset-in-av_grow_packet.patch
> From 45f69d7f02928ad8abae3fc591082997590c597a Mon Sep 17 00:00:00 2001
> From: Andriy Lysnevych <andriy.lysnev...@gmail.com>
> Date: Mon, 16 May 2016 12:08:33 +0300
> Subject: [PATCH] Respect payload offset in av_grow_packet
>
> ---
> libavcodec/avpacket.c | 25 +++++++++++++++----------
> 1 file changed, 15 insertions(+), 10 deletions(-)
>
> diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c
> index bcc7c79..327cd41 100644
> --- a/libavcodec/avpacket.c
> +++ b/libavcodec/avpacket.c
> @@ -110,24 +110,29 @@ int av_grow_packet(AVPacket *pkt, int grow_by)
> {
> int new_size;
> av_assert0((unsigned)pkt->size <= INT_MAX -
> AV_INPUT_BUFFER_PADDING_SIZE);
> - if (!pkt->size)
> - return av_new_packet(pkt, grow_by);
> - if ((unsigned)grow_by >
> - INT_MAX - (pkt->size + AV_INPUT_BUFFER_PADDING_SIZE))
> - return -1;
>
> new_size = pkt->size + grow_by + AV_INPUT_BUFFER_PADDING_SIZE;
you remove the overflow check, which makes this undefined behavior
(note that this is also so when the value is not used)
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The real ebay dictionary, page 1
"Used only once" - "Some unspecified defect prevented a second use"
"In good condition" - "Can be repaird by experienced expert"
"As is" - "You wouldnt want it even if you were payed for it, if you knew ..."
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
