[FFmpeg-cvslog] avformat/webmdashenc: Check id in adaption_sets

Michael Niedermayer git at videolan.org
Fri May 10 22:02:39 EEST 2019


ffmpeg | branch: release/3.2 | Michael Niedermayer <michael at niedermayer.cc> | Wed Feb 13 10:15:04 2019 +0100| [0213519addc3a367b4c1e8681941b12febcefe7f] | committer: Michael Niedermayer

avformat/webmdashenc: Check id in adaption_sets

Fixes: out of array access

Found-by: Wenxiang Qian
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit b687b549aa0fb115861b1343208de8c2630803bf)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0213519addc3a367b4c1e8681941b12febcefe7f
---

 libavformat/webmdashenc.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c
index 9dc9b36d31..8d083088cb 100644
--- a/libavformat/webmdashenc.c
+++ b/libavformat/webmdashenc.c
@@ -439,6 +439,7 @@ static int parse_adaptation_sets(AVFormatContext *s)
             continue;
         else if (state == new_set && !strncmp(p, "id=", 3)) {
             void *mem = av_realloc(w->as, sizeof(*w->as) * (w->nb_as + 1));
+            const char *comma;
             if (mem == NULL)
                 return AVERROR(ENOMEM);
             w->as = mem;
@@ -447,6 +448,11 @@ static int parse_adaptation_sets(AVFormatContext *s)
             w->as[w->nb_as - 1].streams = NULL;
             p += 3; // consume "id="
             q = w->as[w->nb_as - 1].id;
+            comma = strchr(p, ',');
+            if (!comma || comma - p >= sizeof(w->as[w->nb_as - 1].id)) {
+                av_log(s, AV_LOG_ERROR, "'id' in 'adaptation_sets' is malformed.\n");
+                return AVERROR(EINVAL);
+            }
             while (*p != ',') *q++ = *p++;
             *q = 0;
             p++;



More information about the ffmpeg-cvslog mailing list