diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2017-10-28 16:16:46 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-10-28 20:24:04 +0200 |
| commit | eb54efc1e1aafe18d0a8a0c72a78314645bccc83 (patch) | |
| tree | 72f1af0a3e90f02d4b1f524edb762ea798c6f42f | |
| parent | 80137531139588774e048d6e1dae34ab5cbbbfa2 (diff) | |
| download | ffmpeg-eb54efc1e1aafe18d0a8a0c72a78314645bccc83.tar.gz | |
avformat/ac3dec: Check buf2 before adding 16 in ac3_eac3_probe()
This is needed since e0250cf3651e6417e0117486a7816b45fb2d34cd as that uses end-buf2
Note, there are more than 16 bytes allocated beyond "end"
Fixes: regression (segfault) with probetest
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavformat/ac3dec.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/libavformat/ac3dec.c b/libavformat/ac3dec.c index 8ea73824a6..6f423ff7eb 100644 --- a/libavformat/ac3dec.c +++ b/libavformat/ac3dec.c @@ -47,8 +47,11 @@ static int ac3_eac3_probe(AVProbeData *p, enum AVCodecID expected_codec_id) uint16_t frame_size; int i, ret; - if(!memcmp(buf2, "\x1\x10\0\0\0\0\0\0", 8)) + if(!memcmp(buf2, "\x1\x10\0\0\0\0\0\0", 8)) { + if (buf2 + 16 > end) + break; buf2+=16; + } if (buf[0] == 0x77 && buf[1] == 0x0B) { for(i=0; i<8; i+=2) { buf3[i ] = buf2[i+1]; |