diff mbox series

[FFmpeg-devel,2/7] avformat/avc: Fix undefined pointer arithmetic for small buffers

Message ID 20200709103542.19909-2-andreas.rheinhardt@gmail.com
State New
Headers show
Series [FFmpeg-devel,1/7] avformat/avc: Fix undefined shift and assert when reading exp-golomb num
Related show

Checks

Context Check Description
andriy/default pending
andriy/make success Make finished
andriy/make_fate success Make fate finished

Commit Message

Andreas Rheinhardt July 9, 2020, 10:35 a.m. UTC
avc_find_startcode_internal() would subtract 6 from a pointer
(representing the end of a buffer) without checking whether the buffer
was actually large enough; but pointer arithmetic is undefined except
when one stays in the buffer.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavformat/avc.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)
diff mbox series

Patch

diff --git a/libavformat/avc.c b/libavformat/avc.c
index 55494eb08a..cc92fb1038 100644
--- a/libavformat/avc.c
+++ b/libavformat/avc.c
@@ -44,14 +44,15 @@  static inline unsigned get_ue_golomb(GetBitContext *gb)
 
 static const uint8_t *avc_find_startcode_internal(const uint8_t *p, const uint8_t *end)
 {
-    const uint8_t *a = p + 4 - ((intptr_t)p & 3);
+    if (end - p <= 5)
+        goto rest;
 
-    for (end -= 3; p < a && p < end; p++) {
+    for (; (uintptr_t)p & 3; p++) {
         if (p[0] == 0 && p[1] == 0 && p[2] == 1)
             return p;
     }
 
-    for (end -= 3; p < end; p += 4) {
+    for (end -= 6; p < end; p += 4) {
         uint32_t x = *(const uint32_t*)p;
 //      if ((x - 0x01000100) & (~x) & 0x80008000) // little endian
 //      if ((x - 0x00010001) & (~x) & 0x00800080) // big endian
@@ -70,13 +71,15 @@  static const uint8_t *avc_find_startcode_internal(const uint8_t *p, const uint8_
             }
         }
     }
+    end += 6;
 
-    for (end += 3; p < end; p++) {
+rest:
+    for (; end - p > 3; p++) {
         if (p[0] == 0 && p[1] == 0 && p[2] == 1)
             return p;
     }
 
-    return end + 3;
+    return end;
 }
 
 const uint8_t *ff_avc_find_startcode(const uint8_t *p, const uint8_t *end){