Message ID | 20210302103848.483203-1-andreas.rheinhardt@gmail.com |
---|---|
State | Accepted |
Commit | ec5663d0a796cb8acde8ad04ac4cc7e2be7d5173 |
Headers | show |
Series | [FFmpeg-devel,1/2] avformat/dashdec: Ensure strings are zero-terminated | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
andriy/PPC64_make | success | Make finished |
andriy/PPC64_make_fate | success | Make fate finished |
> 2021年3月2日 下午6:38,Andreas Rheinhardt <andreas.rheinhardt@gmail.com> 写道: > > strncpy only ensures that one does not write beyond the end of the > destination buffer; in case of truncation it does not zero-terminate > the destination buffer. This makes using it the way it is now in the > DASH demuxer dangerous. So use av_strlcpy instead. > > Also don't write anything if there is no id: The buffer has already been > zeroed initially. > > The DASH testset from the Universität Klagenfurt contains samples with > ids that are too long. E.g. > http://ftp.itec.aau.at/datasets/DASHDataset2014/TearsOfSteel/1sec/TearsOfSteel_1s_simple_2014_05_09.mpd > > Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> > --- > libavformat/dashdec.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c > index b82805c9ce..3a12aefa68 100644 > --- a/libavformat/dashdec.c > +++ b/libavformat/dashdec.c > @@ -1042,7 +1042,8 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, > if (rep->fragment_duration > 0 && !rep->fragment_timescale) > rep->fragment_timescale = 1; > rep->bandwidth = rep_bandwidth_val ? atoi(rep_bandwidth_val) : 0; > - strncpy(rep->id, rep_id_val ? rep_id_val : "", sizeof(rep->id)); > + if (rep_id_val) > + av_strlcpy(rep->id, rep_id_val, sizeof(rep->id)); > rep->framerate = av_make_q(0, 0); > if (type == AVMEDIA_TYPE_VIDEO) { > char *rep_framerate_val = xmlGetProp(representation_node, "frameRate"); > -- > 2.27.0 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". patchset lgtm Thanks Steven Liu
diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index b82805c9ce..3a12aefa68 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -1042,7 +1042,8 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, if (rep->fragment_duration > 0 && !rep->fragment_timescale) rep->fragment_timescale = 1; rep->bandwidth = rep_bandwidth_val ? atoi(rep_bandwidth_val) : 0; - strncpy(rep->id, rep_id_val ? rep_id_val : "", sizeof(rep->id)); + if (rep_id_val) + av_strlcpy(rep->id, rep_id_val, sizeof(rep->id)); rep->framerate = av_make_q(0, 0); if (type == AVMEDIA_TYPE_VIDEO) { char *rep_framerate_val = xmlGetProp(representation_node, "frameRate");
strncpy only ensures that one does not write beyond the end of the destination buffer; in case of truncation it does not zero-terminate the destination buffer. This makes using it the way it is now in the DASH demuxer dangerous. So use av_strlcpy instead. Also don't write anything if there is no id: The buffer has already been zeroed initially. The DASH testset from the Universität Klagenfurt contains samples with ids that are too long. E.g. http://ftp.itec.aau.at/datasets/DASHDataset2014/TearsOfSteel/1sec/TearsOfSteel_1s_simple_2014_05_09.mpd Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> --- libavformat/dashdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)