Message ID | 20240508023923.28209-2-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 5b82852519e92a2b94de0f22da1a81df5b3e0412 |
Headers | show |
Series | [FFmpeg-devel,1/3] avcodec/cbs_jpeg: Assert that cbs_jpeg_assemble_fragment() stays within the array | expand |
Context | Check | Description |
---|---|---|
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
On Wed, May 08, 2024 at 04:39:22AM +0200, Michael Niedermayer wrote: > Found by reviewing code related to CID1500301 String not null terminated > > Sponsored-by: Sovereign Tech Fund > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/sdp.c | 3 +++ > 1 file changed, 3 insertions(+) will apply [...]
diff --git a/libavformat/sdp.c b/libavformat/sdp.c index 7e11a759185..ccfaa8aff58 100644 --- a/libavformat/sdp.c +++ b/libavformat/sdp.c @@ -203,6 +203,8 @@ static int extradata2psets(AVFormatContext *s, const AVCodecParameters *par, continue; } if (p != (psets + strlen(pset_string))) { + if (p - psets >= MAX_PSET_SIZE) + goto fail_in_loop; *p = ','; p++; } @@ -213,6 +215,7 @@ static int extradata2psets(AVFormatContext *s, const AVCodecParameters *par, if (!av_base64_encode(p, MAX_PSET_SIZE - (p - psets), r, r1 - r)) { av_log(s, AV_LOG_ERROR, "Cannot Base64-encode %"PTRDIFF_SPECIFIER" %"PTRDIFF_SPECIFIER"!\n", MAX_PSET_SIZE - (p - psets), r1 - r); +fail_in_loop: av_free(psets); av_free(tmpbuf);
Found by reviewing code related to CID1500301 String not null terminated Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/sdp.c | 3 +++ 1 file changed, 3 insertions(+)