[Ffmpeg-devel] [patch] libavcodec/mpeg12.c:find_start_code() off by one
Jim Westfall
jwestfall
Tue Jan 10 19:24:59 CET 2006
Hi
There is an off by one error in find_start_code that can/does trigger a
segfault within mpeg1_decode_picture() because its getting passed -1 as
the input_size.
static int find_start_code(const uint8_t **pbuf_ptr, const uint8_t *buf_end)
{
const uint8_t *buf_ptr= *pbuf_ptr;
buf_ptr++; //gurantees that -1 is within the array
buf_end -= 2; // gurantees that +2 is within the array
while (buf_ptr < buf_end) {
if(*buf_ptr==0){
while(buf_ptr < buf_end && buf_ptr[1]==0)
buf_ptr++;
if(buf_ptr[-1] == 0 && buf_ptr[1] == 1){
*pbuf_ptr = buf_ptr+3;
return buf_ptr[2] + 0x100;
}
}
buf_ptr += 2;
}
If the inner while loop fails because buf_ptr == buf_end, and the
following if statement is true, the code will set *pbuf_ptr = buf_ptr+3
which is 1 byte past the real end of the buffer (buf_end+2).
jim
-------------- next part --------------
Index: libs/libavcodec/mpeg12.c
===================================================================
--- libs/libavcodec/mpeg12.c (revision 8504)
+++ libs/libavcodec/mpeg12.c (working copy)
@@ -2188,7 +2188,7 @@
const uint8_t *buf_ptr= *pbuf_ptr;
buf_ptr++; //gurantees that -1 is within the array
- buf_end -= 2; // gurantees that +2 is within the array
+ buf_end -= 3; // gurantees that +3 is within the array
while (buf_ptr < buf_end) {
if(*buf_ptr==0){
@@ -2202,7 +2202,7 @@
}
buf_ptr += 2;
}
- buf_end += 2; //undo the hack above
+ buf_end += 3; //undo the hack above
*pbuf_ptr = buf_end;
return -1;
More information about the ffmpeg-devel
mailing list