diff mbox series

[FFmpeg-devel,2/2] avformat/assenc: fix strstr calls on non-string

Message ID 20230131111349.1338846-1-tim@ngus.net
State New
Headers show
Series None | expand

Commit Message

Tim Angus Jan. 31, 2023, 11:13 a.m. UTC 
In the write_header function of the ASS encoder, extradata is
searched for a substring using the strstr function. strstr expects a
null terminated C string as its first parameter, but extradata is
(notionally) not one of these, meaning that the calls to strstr only
happen to work because (presumably) they encounter a 0 byte somewhere
downstream of extradata. I say notionally because often extradata will
in fact be null terminated (which causes other problems, see parent
commit).

Signed-off-by: Tim Angus <tim@ngus.net>
---
 libavformat/assenc.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comments

Tim Angus Jan. 31, 2023, 1:37 p.m. UTC | #1 
On 31/01/2023 11:13, Tim Angus wrote:
> In the write_header function of the ASS encoder, extradata is
> searched for a substring using the strstr function. strstr expects a
> null terminated C string as its first parameter, but extradata is
> (notionally) not one of these, meaning that the calls to strstr only
> happen to work because (presumably) they encounter a 0 byte somewhere
> downstream of extradata. I say notionally because often extradata will
> in fact be null terminated (which causes other problems, see parent
> commit).
>
> Signed-off-by: Tim Angus <tim@ngus.net>
> ---
>   libavformat/assenc.c | 8 ++++----
>   1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/libavformat/assenc.c b/libavformat/assenc.c
> index 4c9ea6f982..f6f5293bb7 100644
> --- a/libavformat/assenc.c
> +++ b/libavformat/assenc.c
> @@ -83,12 +83,12 @@ static int write_header(AVFormatContext *s)
>           if (header_string[strlen(header_string) - 1] != '\n')
>               avio_printf(s->pb, "\r\n");
>   
> -        av_free(header_string);
> -
> -        ass->ssa_mode = !strstr(par->extradata, "\n[V4+ Styles]");
> -        if (!strstr(par->extradata, "\n[Events]"))
> +        ass->ssa_mode = !strstr(header_string, "\n[V4+ Styles]");
> +        if (!strstr(header_string, "\n[Events]"))
>               avio_printf(s->pb, "[Events]\r\nFormat: %s, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text\r\n",
>                           ass->ssa_mode ? "Marked" : "Layer");
> +
> +        av_free(header_string);
>       }
>   
>       return 0;

Apparently extradata is padded with zeroes, so this is probably 
unnecessary, strictly speaking. Having said that, reasoning about why 
the code works is less obscure with the patch applied.
diff mbox series

Patch

diff --git a/libavformat/assenc.c b/libavformat/assenc.c
index 4c9ea6f982..f6f5293bb7 100644
--- a/libavformat/assenc.c
+++ b/libavformat/assenc.c
@@ -83,12 +83,12 @@  static int write_header(AVFormatContext *s)
         if (header_string[strlen(header_string) - 1] != '\n')
             avio_printf(s->pb, "\r\n");
 
-        av_free(header_string);
-
-        ass->ssa_mode = !strstr(par->extradata, "\n[V4+ Styles]");
-        if (!strstr(par->extradata, "\n[Events]"))
+        ass->ssa_mode = !strstr(header_string, "\n[V4+ Styles]");
+        if (!strstr(header_string, "\n[Events]"))
             avio_printf(s->pb, "[Events]\r\nFormat: %s, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text\r\n",
                         ass->ssa_mode ? "Marked" : "Layer");
+
+        av_free(header_string);
     }
 
     return 0;