From patchwork Wed Apr 29 15:14:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lance Wang X-Patchwork-Id: 19373 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 67D1F44AEFB for ; Wed, 29 Apr 2020 18:14:31 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 451AA68BFAE; Wed, 29 Apr 2020 18:14:31 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-pf1-f195.google.com (mail-pf1-f195.google.com [209.85.210.195]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 122AB68BDC6 for ; Wed, 29 Apr 2020 18:14:25 +0300 (EEST) Received: by mail-pf1-f195.google.com with SMTP id d184so1216909pfd.4 for ; Wed, 29 Apr 2020 08:14:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=eiwAIQYko5zufSa6Bo69SquaIhafeOghOonsqrZyD6A=; b=hO8FddW//zPLliPefRE+mZPvmZtvZRdBsqc7dcemnRTUU0/UgurHgpBkGAkdX3a6QS XI0DQU3quww0XzCYau9mI0LsnAIyfnd4OLzBtjQU+TGbzjh9+qLtouXMY/R2Ehc8Z8Fa kZ4eIpZcK0vzsLzq2G348AM8vDxWq77hch77uFPE4xsyrEyrRYWqPox9eosX6W0aFzyZ frwsKxbfVk5LUU5/hhdI3xtra6FJdr+6P/ehPlQhXMjIaIl3gnP+7VZbslDWIMJzk2F1 bxW95ZjJbbPUwnH22u1dvIDozxksTz2InjI0Xmww4XZ+8nVzyJPtIBf0Jh4SIORjnyym ZVTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=eiwAIQYko5zufSa6Bo69SquaIhafeOghOonsqrZyD6A=; b=Zwvb26FxcVN0oZkVw96IzJko5UYCK0+Zr5Xdo7HP/ZRFlzlvn5A1PaRUn3xxud/x+y yOC4oCyKcJLmlmXov7N72T1YOJz6hkwljz33ZNQQVWxPm7gmiSmNeh7HQm5abHS11Ql8 f3OmAhIDr4bGA1ZdKBnBrVzjFs3UoH7Ea4YTpITwe3H8T0jKgvbXPh0aNR7BvKR3jUjJ K7dIL/pYQNBxFD23feSU5rv8GpJRvGyMwi+xb6DQWE4/9gMQT2lgTBdaikYisaMvYiW3 bN1B9CgDQbrGc3QIvEcvH+bxa39jgG7p0J+4IPoXFRAzwhBUIFXSIpNpcGmzJfgcetcr ZlJQ== X-Gm-Message-State: AGi0PuaquDAZuI3fvr/K0ekf+5NDsE6fBfBU/IsR60CGf50IyBKrweEA jMnpKlxN5kOKLA5F65XYoz+TN46A X-Google-Smtp-Source: APiQypKmEG/5qzoO1OdjWucGX7wRZYizoRsmWwjAi3IpKK9UzULP8Xvc7flwbgFKBiPQN0RiR6s96Q== X-Received: by 2002:a62:b618:: with SMTP id j24mr5543434pff.16.1588173263229; Wed, 29 Apr 2020 08:14:23 -0700 (PDT) Received: from vpn2.localdomain ([161.117.202.209]) by smtp.gmail.com with ESMTPSA id t12sm1243688pgm.37.2020.04.29.08.14.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Apr 2020 08:14:22 -0700 (PDT) From: lance.lmwang@gmail.com To: ffmpeg-devel@ffmpeg.org Date: Wed, 29 Apr 2020 23:14:13 +0800 Message-Id: <1588173257-14531-1-git-send-email-lance.lmwang@gmail.com> X-Mailer: git-send-email 1.8.3.1 Subject: [FFmpeg-devel] [PATCH 1/5] avformat/dashenc: fix invalid pointer access if avio_get_dyn_buf failed X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Limin Wang MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" From: Limin Wang If an error occurs, avio_get_dyn_buf() will return 0 and buf is NULL, so it's necessary to check the return value for the following code will access the buf pointer with index. In addition, the buf len should be greater than written_len to avoid the buffer overflow access. Signed-off-by: Limin Wang --- libavformat/dashenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dashenc.c b/libavformat/dashenc.c index 9f83785792..99fb7d67af 100644 --- a/libavformat/dashenc.c +++ b/libavformat/dashenc.c @@ -2260,7 +2260,7 @@ static int dash_write_packet(AVFormatContext *s, AVPacket *pkt) uint8_t *buf = NULL; avio_flush(os->ctx->pb); len = avio_get_dyn_buf (os->ctx->pb, &buf); - if (os->out) { + if (os->out && len > os->written_len) { avio_write(os->out, buf + os->written_len, len - os->written_len); avio_flush(os->out); }