diff mbox series

[FFmpeg-devel,2/3] avformat/sdp: Check before appending ", "

Message ID 20240508023923.28209-2-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel,1/3] avcodec/cbs_jpeg: Assert that cbs_jpeg_assemble_fragment() stays within the array | expand

Checks

Context Check Description
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer May 8, 2024, 2:39 a.m. UTC 
Found by reviewing code related to CID1500301 String not null terminated

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/sdp.c | 3 +++
 1 file changed, 3 insertions(+)
diff mbox series

Patch

diff --git a/libavformat/sdp.c b/libavformat/sdp.c
index 7e11a759185..ccfaa8aff58 100644
--- a/libavformat/sdp.c
+++ b/libavformat/sdp.c
@@ -203,6 +203,8 @@  static int extradata2psets(AVFormatContext *s, const AVCodecParameters *par,
             continue;
         }
         if (p != (psets + strlen(pset_string))) {
+            if (p - psets >= MAX_PSET_SIZE)
+                goto fail_in_loop;
             *p = ',';
             p++;
         }
@@ -213,6 +215,7 @@  static int extradata2psets(AVFormatContext *s, const AVCodecParameters *par,
         if (!av_base64_encode(p, MAX_PSET_SIZE - (p - psets), r, r1 - r)) {
             av_log(s, AV_LOG_ERROR, "Cannot Base64-encode %"PTRDIFF_SPECIFIER" %"PTRDIFF_SPECIFIER"!\n",
                    MAX_PSET_SIZE - (p - psets), r1 - r);
+fail_in_loop:
             av_free(psets);
             av_free(tmpbuf);