From 5ec3c7b7c1189dca0ba29edbd33b5dbe68313382 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Dec 2013 18:07:30 +0100 Subject: [PATCH] avformat/pva: Make sure the first byte of pes_header_data has been initialized Fixes use of uninitialized memory Fixes: msan_uninit-mem_7f53c1d0e95c_2674_PVA_test-partial.pva Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavformat/pva.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/pva.c b/libavformat/pva.c index 9b7a40a068..635fb728b3 100644 --- a/libavformat/pva.c +++ b/libavformat/pva.c @@ -85,6 +85,7 @@ static int read_part_of_packet(AVFormatContext *s, int64_t *pts, PVAContext *pvactx = s->priv_data; int syncword, streamid, reserved, flags, length, pts_flag; int64_t pva_pts = AV_NOPTS_VALUE, startpos; + int ret; recover: startpos = avio_tell(pb); @@ -133,8 +134,8 @@ recover: pes_flags = avio_rb16(pb); pes_header_data_length = avio_r8(pb); - if (pes_signal != 1) { - pva_log(s, AV_LOG_WARNING, "expected signaled PES packet, " + if (pes_signal != 1 || pes_header_data_length == 0) { + pva_log(s, AV_LOG_WARNING, "expected non empty signaled PES packet, " "trying to recover\n"); avio_skip(pb, length - 9); if (!read_packet) @@ -142,7 +143,9 @@ recover: goto recover; } - avio_read(pb, pes_header_data, pes_header_data_length); + ret = avio_read(pb, pes_header_data, pes_header_data_length); + if (ret != pes_header_data_length) + return ret < 0 ? ret : AVERROR_INVALIDDATA; length -= 9 + pes_header_data_length; pes_packet_length -= 3 + pes_header_data_length;