From 139005452d0fd2db313a0cfe934c7e3e76949daa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Jul 2013 23:38:08 +0200 Subject: [PATCH] rmdec: Pass AVIOContext to rm_read_metadata() Fix null pointer dereference Fixes Ticket2588 Signed-off-by: Michael Niedermayer (cherry picked from commit bf87908cd8da31e8f8fe75c06577170928ea70a8) Conflicts: libavformat/rmdec.c --- libavformat/rmdec.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 6b39e473d8..1f2490b437 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -107,13 +107,14 @@ static int rm_read_extradata(AVIOContext *pb, AVCodecContext *avctx, unsigned si return 0; } -static void rm_read_metadata(AVFormatContext *s, int wide) +static void rm_read_metadata(AVFormatContext *s, AVIOContext *pb, int wide) { char buf[1024]; int i; + for (i=0; ipb) : avio_r8(s->pb); - get_strl(s->pb, buf, sizeof(buf), len); + int len = wide ? avio_rb16(pb) : avio_r8(pb); + get_strl(pb, buf, sizeof(buf), len); av_dict_set(&s->metadata, ff_rm_metadata[i], buf, 0); } } @@ -143,7 +144,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, int header_size = avio_rb16(pb); int64_t startpos = avio_tell(pb); avio_skip(pb, 14); - rm_read_metadata(s, 0); + rm_read_metadata(s, pb, 0); if ((startpos + header_size) >= avio_tell(pb) + 2) { // fourcc (should always be "lpcJ") avio_r8(pb); @@ -290,7 +291,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, avio_r8(pb); avio_r8(pb); avio_r8(pb); - rm_read_metadata(s, 0); + rm_read_metadata(s, pb, 0); } } return 0; @@ -483,7 +484,7 @@ static int rm_read_header(AVFormatContext *s) flags = avio_rb16(pb); /* flags */ break; case MKTAG('C', 'O', 'N', 'T'): - rm_read_metadata(s, 1); + rm_read_metadata(s, pb, 1); break; case MKTAG('M', 'D', 'P', 'R'): st = avformat_new_stream(s, NULL);