On Fri, Oct 12, 2018 at 09:41:04PM +0800, Jun Zhao wrote:
> case 1:
> use the hexdump -C SMM0005.rcv get:
> size skip (size - 4)
> | |
> V V
> 00000000 18 00 00 c5 05 00 00 00 4d f1 0a 11 00 e0 01 00
> 00000010 00 d0 02 00 00 0c 00 00 00 88 13 00 00 c0 65 52
> ^
> |
> size + 16
> case 2:
> same the command for SMM0015.rcv get:
> size
> |
> V
> 00000000 19 00 00 c5 04 00 00 00 41 f3 80 01 40 02 00 00
> 00000010 d0 02 00 00 0c 00 00 00 00 00 00 10 00 00 00 00
> ^
> |
> size + 16
>
> There are different the RCV file format for VC-1, vc1test
> just handle the case 2 now, this fix will support the case 1.
> (Both of test clips come from: RP 228:2008 - SMPTE
> Recommended Practice - VC-1 Decoder and Bitstream Conformance).
>
> Signed-off-by: Jun Zhao <jun.z...@intel.com>
> Signed-off-by: Yan, FengX <fengx....@intel.com>
> ---
> libavformat/vc1test.c | 11 +++++++++--
> 1 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/libavformat/vc1test.c b/libavformat/vc1test.c
> index a801f4b..82e155a 100644
> --- a/libavformat/vc1test.c
> +++ b/libavformat/vc1test.c
> @@ -34,9 +34,13 @@
>
> static int vc1t_probe(AVProbeData *p)
> {
> + int size;
> +
> if (p->buf_size < 24)
> return 0;
> - if (p->buf[3] != 0xC5 || AV_RL32(&p->buf[4]) != 4 ||
> AV_RL32(&p->buf[20]) != 0xC)
> +
> + size = AV_RL32(&p->buf[4]);
> + if (p->buf[3] != 0xC5 || AV_RL32(&p->buf[size+16]) != 0xC)this doesnt check size and could crash [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB If a bugfix only changes things apparently unrelated to the bug with no further explanation, that is a good sign that the bugfix is wrong.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
