[FFmpeg-devel] Patch (1/2) Decoding of Teletext Descriptor (0x56)
JULIAN GARDNER
joolzg at btinternet.com
Mon Sep 23 14:32:16 CEST 2013
----- Original Message -----
> From: Clément Bœsch <u at pkh.me>
> To: FFmpeg development discussions and patches <ffmpeg-devel at ffmpeg.org>
> Cc:
> Sent: Monday, 23 September 2013, 14:28
> Subject: Re: [FFmpeg-devel] Patch (1/2) Decoding of Teletext Descriptor (0x56)
>
> On Mon, Sep 23, 2013 at 01:25:19PM +0100, JULIAN GARDNER wrote:
> [...]
>> >> + if (l<(sizeof( language) - 9)) {
>> >> + mag = type;
>> >> + type >>= 3;
>> >> + if (type < sizeof( types)) {
>> >> + mag &= 7; if (!mag) mag = 8;
>> >> + sprintf( language+l,
> "%c%c%c,%c%d%02x,", l0, l1,
>> >> + l2, types[ type], mag, page);
>> >
>> >use snprintf, the your if don't look safe enougth to me.
>> >
>>
>>
>> > + if (l<(sizeof( language) - 9)) {
>> Hmm this protects against a buffer overrun
>>
>
> At least %d can be abused in your sprintf. Maybe %02x as well depending on
> the situation. Just use the safe snprintf.
>
mag can be 1-8
page can be 0-255, 00 to FF
How can this be abused, they are fixed sizes in the stream, 1 byte each?
joolz
More information about the ffmpeg-devel
mailing list