highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/ccaption_dec: Use simple array instead of AVBuffer

Browse Source 
This is simpler and fixes an out of array read, fixing it with AVBuffers
would be more complex

Fixes: e00d9e6e50e5495cc93fea41147b97bb/asan_heap-oob_12dcdbb_8798_b32a97ea722dd37bb5066812cc674552.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 752e6dfa3ea97e7901870bdd9e5a51f860607240)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2016-09-09 10:26:15 +02:00
parent 9259b7f38e
commit d669b7f4f6
1 changed files with 11 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
libavcodec/ccaption_dec.c
View File

@ -135,7 +135,8 @@ typedef struct CCaptionSubContext {
int64_t last_real_time; int64_t last_real_time;
char prev_cmd[2]; char prev_cmd[2];
/* buffer to store pkt data */ /* buffer to store pkt data */
AVBufferRef *pktbuf; uint8_t *pktbuf;
int pktbuf_size;
} CCaptionSubContext; } CCaptionSubContext;
@ -160,11 +161,7 @@ static av_cold int init_decoder(AVCodecContext *avctx)
if (ret < 0) { if (ret < 0) {
return ret; return ret;
} }
/* allocate pkt buffer */
ctx->pktbuf = av_buffer_alloc(128);
if (!ctx->pktbuf) {
ret = AVERROR(ENOMEM);
}
return ret; return ret;
} }
@ -172,7 +169,8 @@ static av_cold int close_decoder(AVCodecContext *avctx)
{ {
CCaptionSubContext *ctx = avctx->priv_data; CCaptionSubContext *ctx = avctx->priv_data;
av_bprint_finalize(&ctx->buffer, NULL); av_bprint_finalize(&ctx->buffer, NULL);
av_buffer_unref(&ctx->pktbuf); av_freep(&ctx->pktbuf);
ctx->pktbuf_size = 0;
return 0; return 0;
} }
@ -578,16 +576,13 @@ static int decode(AVCodecContext *avctx, void *data, int *got_sub, AVPacket *avp
int ret = 0; int ret = 0;
int i; int i;
if (ctx->pktbuf->size < len) { av_fast_padded_malloc(&ctx->pktbuf, &ctx->pktbuf_size, len);
ret = av_buffer_realloc(&ctx->pktbuf, len); if (!ctx->pktbuf) {
if (ret < 0) { av_log(ctx, AV_LOG_WARNING, "Insufficient Memory of %d truncated to %d\n", len, ctx->pktbuf_size);
av_log(ctx, AV_LOG_WARNING, "Insufficient Memory of %d truncated to %d\n", len, ctx->pktbuf->size); return AVERROR(ENOMEM);
len = ctx->pktbuf->size;
ret = 0;
} }
} memcpy(ctx->pktbuf, avpkt->data, len);
memcpy(ctx->pktbuf->data, avpkt->data, len); bptr = ctx->pktbuf;
bptr = ctx->pktbuf->data;
for (i = 0; i < len; i += 3) { for (i = 0; i < len; i += 3) {
uint8_t cc_type = *(bptr + i) & 3; uint8_t cc_type = *(bptr + i) & 3;