highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix a buffer overflow in libx264 interface to x264 encoder. Previous code ignored the compressed buffer size passed in. This change returns as many complete NALs as can fit in the buffer, and logs an error message.

Browse Source 
Signed-off-by: Mike Scheutzow <mike.scheutzow@alcatel-lucent.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e2dae1faa84ada5746ac2114de7eb68abd824131)
This commit is contained in:
Mike Scheutzow 2011-09-26 10:57:53 -04:00 committed by Michael Niedermayer
parent be1ae17ec0
commit 7e362df304
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libavcodec/libx264.c
View File

@ -70,9 +70,14 @@ static int encode_nals(AVCodecContext *ctx, uint8_t *buf, int size,
/* Write the SEI as part of the first frame. */
if (x4->sei_size > 0 && nnal > 0) {
if (x4->sei_size > size) {
av_log(ctx, AV_LOG_ERROR, "Error: nal buffer is too small\n");
return -1;
}
memcpy(p, x4->sei, x4->sei_size);
p += x4->sei_size;
x4->sei_size = 0;
// why is x4->sei not freed?
}
for (i = 0; i < nnal; i++){
@ -83,6 +88,11 @@ static int encode_nals(AVCodecContext *ctx, uint8_t *buf, int size,
memcpy(x4->sei, nals[i].p_payload, nals[i].i_payload);
continue;
}
if (nals[i].i_payload > (size - (p - buf))) {
// return only complete nals which fit in buf
av_log(ctx, AV_LOG_ERROR, "Error: nal buffer is too small\n");
break;
}
memcpy(p, nals[i].p_payload, nals[i].i_payload);
p += nals[i].i_payload;
}