avio: exit early in fill_buffer without read_packet

Fixes an invalid free() with ass in avi. The sample in bug 98 passes parts of AVPacket.data as buffer for the AVIOContext. Since the packet is quite large fill_buffer tries to reallocate the buffer before doing nothing. Fixes bug 98.

avio: exit early in fill_buffer without read_packet
Fixes an invalid free() with ass in avi. The sample in bug 98 passes parts of AVPacket.data as buffer for the AVIOContext. Since the packet is quite large fill_buffer tries to reallocate the buffer before doing nothing. Fixes bug 98.
a2d1d216 · Janne Grunau · d209c27b · a2d1d216
Commit a2d1d216 authored Jan 03, 2012 by Janne Grunau
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

aviobuf.c libavformat/aviobuf.c +4 -0

No files found.
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -565,6 +565,10 @@ static void fill_buffer(AVIOContext *s)
    int len= s->buffer_size - (dst - s->buffer);
    int max_buffer_size = s->max_packet_size ? s->max_packet_size : IO_BUFFER_SIZE;

+    /* can't fill the buffer without read_packet, just set EOF if appropiate */
+    if (!s->read_packet && s->buf_ptr >= s->buf_end)
+        s->eof_reached = 1;
+
    /* no need to do anything if EOF already reached */
    if (s->eof_reached)
        return;