Commit 2115a359 authored by Anton Khirnov's avatar Anton Khirnov

lavf: make av_probe_input_buffer more robust

Always use the actually read size as the offset instead of making
possibly invalid assumptions.

Addresses: CVE-2012-6618
parent 8b763628
...@@ -263,12 +263,11 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, ...@@ -263,12 +263,11 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt; for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt;
probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) { probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) {
int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0; int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0;
int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1;
/* read probe data */ /* read probe data */
if ((ret = av_reallocp(&buf, probe_size + AVPROBE_PADDING_SIZE)) < 0) if ((ret = av_reallocp(&buf, probe_size + AVPROBE_PADDING_SIZE)) < 0)
return ret; return ret;
if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) { if ((ret = avio_read(pb, buf + pd.buf_size, probe_size - pd.buf_size)) < 0) {
/* fail if error was not end of file, otherwise, lower score */ /* fail if error was not end of file, otherwise, lower score */
if (ret != AVERROR_EOF) { if (ret != AVERROR_EOF) {
av_free(buf); av_free(buf);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment