[FFmpeg-cvslog] avformat/webmdashenc: Check id in adaption_sets
Michael Niedermayer
git at videolan.org
Sun Feb 17 11:53:01 EET 2019
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Wed Feb 13 10:15:04 2019 +0100| [b687b549aa0fb115861b1343208de8c2630803bf] | committer: Michael Niedermayer
avformat/webmdashenc: Check id in adaption_sets
Fixes: out of array access
Found-by: Wenxiang Qian
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b687b549aa0fb115861b1343208de8c2630803bf
---
libavformat/webmdashenc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c
index 1280d8a763..26b8727304 100644
--- a/libavformat/webmdashenc.c
+++ b/libavformat/webmdashenc.c
@@ -466,6 +466,7 @@ static int parse_adaptation_sets(AVFormatContext *s)
continue;
else if (state == new_set && !strncmp(p, "id=", 3)) {
void *mem = av_realloc(w->as, sizeof(*w->as) * (w->nb_as + 1));
+ const char *comma;
if (mem == NULL)
return AVERROR(ENOMEM);
w->as = mem;
@@ -474,6 +475,11 @@ static int parse_adaptation_sets(AVFormatContext *s)
w->as[w->nb_as - 1].streams = NULL;
p += 3; // consume "id="
q = w->as[w->nb_as - 1].id;
+ comma = strchr(p, ',');
+ if (!comma || comma - p >= sizeof(w->as[w->nb_as - 1].id)) {
+ av_log(s, AV_LOG_ERROR, "'id' in 'adaptation_sets' is malformed.\n");
+ return AVERROR(EINVAL);
+ }
while (*p != ',') *q++ = *p++;
*q = 0;
p++;
More information about the ffmpeg-cvslog
mailing list