Traneptora/FFmpeg
1
Fork 0
forked from FFmpeg/FFmpeg
Code Pull requests Activity

aviobuf: Write new data at s->buf_end in fill_buffer

Browse source 
In most cases, s->buf_ptr will be equal to s->buf_end when
fill_buffer is called, but this may not always be the case, if
we're seeking forward by reading (permitted by the short seek
threshold).

If fill_buffer is writing to s->buf_ptr instead of s->buf_end (when
they aren't equal and s->buf_ptr is ahead of s->buffer), the data
between s->buf_ptr and s->buf_end is overwritten, leading to
inconsistent buffer content. This could return incorrect data if
later seeking back into the area before the current s->buf_ptr.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This commit is contained in:
Martin Storsjö 2011-02-27 01:02:32 +02:00 committed by Luca Barbato
parent 06ed4873e6
commit e360ada2d1
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
libavformat/aviobuf.c
View file

@ -468,7 +468,7 @@ void put_tag(AVIOContext *s, const char *tag)
static void fill_buffer(AVIOContext *s) static void fill_buffer(AVIOContext *s)
{ {
uint8_t *dst= !s->max_packet_size && s->buf_end - s->buffer < s->buffer_size ? s->buf_ptr : s->buffer; uint8_t *dst= !s->max_packet_size && s->buf_end - s->buffer < s->buffer_size ? s->buf_end : s->buffer;
int len= s->buffer_size - (dst - s->buffer); int len= s->buffer_size - (dst - s->buffer);
int max_buffer_size = s->max_packet_size ? s->max_packet_size : IO_BUFFER_SIZE; int max_buffer_size = s->max_packet_size ? s->max_packet_size : IO_BUFFER_SIZE;