A negative `size' will bypass FFMIN(). In the subsequent memcpy() call,
`size' will be considered as a large positive value, leading to a buffer
overflow.
Change the type of `size' to unsigned int to avoid buffer overflow, and
simplify overflow checks accordingly.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4e692374f7962ea358c329de38c380103f8991b6)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Sanity checks like `data + size >= data_end || data + size < data' are
broken, because `data + size < data' assumes pointer overflow, which is
undefined behavior in C. Many compilers such as gcc/clang optimize such
checks away.
Use `size < 0 || size >= data_end - data' instead.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 902cfe2f74d777a7dc20ac68f2393b9f84b790c1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master: (32 commits)
doc: create separate section for audio encoders
swscale: Remove orphaned, commented-out function declaration.
swscale: Eliminate rgb24toyv12_c() duplication.
Remove h263_msmpeg4 from MpegEncContext.
APIchanges: Fill in git hash for fps_probe_size (30315a8)
avformat: Add fpsprobesize as an AVOption.
avoptions: Return explicitly NAN or {0,0} if the option isn't found
rtmp: Reindent
rtmp: Don't try to do av_malloc(0)
tty: replace AVFormatParameters.sample_rate abuse with a private option.
Fix end time of last chapter in compute_chapters_end
ffmpeg: get rid of useless AVInputStream.nb_streams.
ffmpeg: simplify managing input files and streams
ffmpeg: purge redundant AVInputStream.index.
lavf: deprecate AVFormatParameters.channel.
libdc1394: add a private option for channel.
dv1394: add a private option for channel.
v4l2: reindent.
v4l2: add a private option for channel.
lavf: deprecate AVFormatParameters.standard.
...
Conflicts:
doc/APIchanges
doc/encoders.texi
ffmpeg.c
libavdevice/alsa-audio.h
libavformat/version.h
libavutil/opt.c
libswscale/rgb2rgb.h
libswscale/rgb2rgb_template.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Some received packets can have size 0. The return value from
av_malloc(0) may be NULL, which is ok if the size was 0. On
OS X, however, the returned pointer is non-null but leads to
crashes when trying to free it.
Signed-off-by: Martin Storsjö <martin@martin.st>
* qatar/master: (22 commits)
ac3enc: move extract_exponents inner loop to ac3dsp
avio: deprecate url_get_filename().
avio: deprecate url_max_packet_size().
avio: make url_get_file_handle() internal.
avio: make url_filesize() internal.
avio: make url_close() internal.
avio: make url_seek() internal.
avio: cosmetics, move AVSEEK_SIZE/FORCE declarations together
avio: make url_write() internal.
avio: make url_read_complete() internal.
avio: make url_read() internal.
avio: make url_open() internal.
avio: make url_connect internal.
avio: make url_alloc internal.
applehttp: Merge two for loops
applehttp: Restructure the demuxer to use a custom AVIOContext
applehttp: Move finished and target_duration to the variant struct
aacenc: reduce the number of loop index variables
avio: deprecate url_open_protocol
avio: deprecate url_poll and URLPollEntry
...
Conflicts:
libavformat/applehttp.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
track timestamp difference as well.
Patch by Sergiy (mail.composeAddress("piratfm","gmail.com"))
Originally committed as revision 20714 to svn://svn.ffmpeg.org/ffmpeg/trunk
difference, so make all read packets store absolute timestamp.
As a consequence, we don't need to track audio/video timestamps separately
any longer in protocol handler.
Originally committed as revision 20685 to svn://svn.ffmpeg.org/ffmpeg/trunk
instead of assuming it should occur right at given position.
This helps finding human-readable error descriptions in RTMP server replies.
Originally committed as revision 20575 to svn://svn.ffmpeg.org/ffmpeg/trunk
