On 02/01/15 17:04, Martin Storsjö wrote:
On Fri, 2 Jan 2015, Martin Storsjö wrote:
On Fri, 2 Jan 2015, Luca Barbato wrote:
CC: [email protected]
---
It is a really ridiculous corner case but happens in real life.
libavformat/aviobuf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index 6923b78..b7786f7 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -125,8 +125,8 @@ static void flush_buffer(AVIOContext *s)
{
if (s->buf_ptr > s->buffer) {
if (s->write_packet && !s->error) {
- int ret = s->write_packet(s->opaque, s->buffer,
- s->buf_ptr - s->buffer);
+ int len = FFMIN(s->buf_ptr - s->buffer, s->buffer_size);
+ int ret = s->write_packet(s->opaque, s->buffer, len);
if (ret < 0) {
s->error = ret;
}
--
2.1.0
Hmm, looks like a pretty nasty issue if this happens - if this happens
I think we might need to add a similar FFMIN() in a number of
different places as well. Can you pinpoint where the pointers end up
being set out of bounds?
from what I could see you have avio_w8 doing
write
pointer++
check if (pointer is >= end) and flush
Flush uses start-pointer to decide the amount to write down.
I'm not 100% sure when avio_seek do not trigger a flush when it position
itself right at the last byte of the buffer (the code is sufficiently
convoluted to warrant a refactor).
Alternatively, if it is easily reproducible I could try to have a look
at pinpointing the source of the issue as well.
I couldn't get a reduced testcase and the only way to experience it had
been while using avio to edit some unnecessarily redundant format (thus
mixing seek and write a lot).
I can look at it later, I still have pending the timeout thing ^^;
lu
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
