lavf: make av_probe_input_buffer more robust

Always use the actually read size as the offset instead of making possibly invalid assumptions. Addresses: CVE-2012-6618

lavf: make av_probe_input_buffer more robust
Always use the actually read size as the offset instead of making possibly invalid assumptions. Addresses: CVE-2012-6618
2115a359 · Anton Khirnov · 8b763628 · 2115a359
Commit 2115a359 authored Jan 13, 2014 by Anton Khirnov
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 2 deletions

utils.c libavformat/utils.c +1 -2

No files found.
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -263,12 +263,11 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
    for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt;
        probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) {
        int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0;
-        int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1;

        /* read probe data */
        if ((ret = av_reallocp(&buf, probe_size + AVPROBE_PADDING_SIZE)) < 0)
            return ret;
-        if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) {
+        if ((ret = avio_read(pb, buf + pd.buf_size, probe_size - pd.buf_size)) < 0) {
            /* fail if error was not end of file, otherwise, lower score */
            if (ret != AVERROR_EOF) {
                av_free(buf);