On 08/01/14 13:57, Luca Barbato wrote:
> On 01/08/14 13:41, [email protected] wrote:
>> From: Michael Niedermayer <[email protected]>
>>
>> Prevents out of array writes
>> Addresses: CVE-2014-2263
>> ---
>> libavformat/mpegtsenc.c | 9 +++++++--
>> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> This is an encoder, it means that the data buffer is smaller than you'd
> expect.
>
> 1012 is a random number or there is a specification mandating that?
section[1024] - 4 /* crc */ - 8 /* PSI section header */
in mpegts_write_section1
section length including header can not be over 1024, per
H222 2.4.4.7
>> diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c
>> index 838702e..de27d70 100644
>> --- a/libavformat/mpegtsenc.c
>> +++ b/libavformat/mpegtsenc.c
>> @@ -214,7 +214,7 @@ static void mpegts_write_pat(AVFormatContext *s)
>> data, q - data);
>> }
>>
>> -static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
>> +static int mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
>> {
>> MpegTSWrite *ts = s->priv_data;
>> uint8_t data[1012], *q, *desc_length_ptr, *program_info_length_ptr;
> ^^^^
> Random magic number
I agree it should be documented / defined
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
