[FFmpeg-devel] [PATCH] Fix heap buffer overflow in ff_combine_frame
Baozeng Ding
sploving1 at gmail.com
Tue Jun 26 14:02:38 EEST 2018
Signed-off-by: Baozeng Ding <sploving1 at gmail.com>
---
libavcodec/parser.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/libavcodec/parser.c b/libavcodec/parser.c
index f43b197..a9786af 100644
--- a/libavcodec/parser.c
+++ b/libavcodec/parser.c
@@ -355,6 +355,7 @@ int ff_combine_frame(ParseContext *pc, int next,
av_assert0(next >= 0 || pc->buffer);
+ int origin_buf_size = *buf_size;
*buf_size =
pc->overread_index = pc->index + next;
@@ -370,9 +371,12 @@ int ff_combine_frame(ParseContext *pc, int next,
return AVERROR(ENOMEM);
}
pc->buffer = new_buffer;
- if (next > -AV_INPUT_BUFFER_PADDING_SIZE)
- memcpy(&pc->buffer[pc->index], *buf,
- next + AV_INPUT_BUFFER_PADDING_SIZE);
+ if (next > -AV_INPUT_BUFFER_PADDING_SIZE) {
+ int copy_len = next + AV_INPUT_BUFFER_PADDING_SIZE;
+ if (next + AV_INPUT_BUFFER_PADDING_SIZE > origin_buf_size)
+ copy_len = origin_buf_size;
+ memcpy(&pc->buffer[pc->index], *buf, copy_len);
+ }
pc->index = 0;
*buf = pc->buffer;
}
--
2.7.4
More information about the ffmpeg-devel
mailing list