diff mbox series

[FFmpeg-devel,3/7] avformat/sdp: Fix potential write beyond end of buffer

Message ID 20200709103542.19909-3-andreas.rheinhardt@gmail.com
State Accepted
Commit 5d91b7718efc581da8882a4e9bf2f5953e41adbf
Headers show
Series [FFmpeg-devel,1/7] avformat/avc: Fix undefined shift and assert when reading exp-golomb num | expand

Checks

Context Check Description
andriy/default pending
andriy/make success Make finished
andriy/make_fate success Make fate finished

Commit Message

Andreas Rheinhardt July 9, 2020, 10:35 a.m. UTC 
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavformat/sdp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Michael Niedermayer July 10, 2020, 6:19 p.m. UTC | #1 
On Thu, Jul 09, 2020 at 12:35:38PM +0200, Andreas Rheinhardt wrote:
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
> ---
>  libavformat/sdp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavformat/sdp.c b/libavformat/sdp.c
> index 34e9839b67..2ce1a62262 100644
> --- a/libavformat/sdp.c
> +++ b/libavformat/sdp.c
> @@ -212,7 +212,7 @@ static char *extradata2psets(AVFormatContext *s, AVCodecParameters *par)
>          p += strlen(p);
>          r = r1;
>      }
> -    if (sps && sps_end - sps >= 4) {
> +    if (sps && sps_end - sps >= 4 && p - psets <= MAX_PSET_SIZE - strlen(profile_string) - 7) {

probably ok

thx

[...]
diff mbox series

Patch

diff --git a/libavformat/sdp.c b/libavformat/sdp.c
index 34e9839b67..2ce1a62262 100644
--- a/libavformat/sdp.c
+++ b/libavformat/sdp.c
@@ -212,7 +212,7 @@  static char *extradata2psets(AVFormatContext *s, AVCodecParameters *par)
         p += strlen(p);
         r = r1;
     }
-    if (sps && sps_end - sps >= 4) {
+    if (sps && sps_end - sps >= 4 && p - psets <= MAX_PSET_SIZE - strlen(profile_string) - 7) {
         memcpy(p, profile_string, strlen(profile_string));
         p += strlen(p);
         ff_data_to_hex(p, sps + 1, 3, 0);