Mercurial > libavformat.hg
comparison mpegts.c @ 675:29a19aec26b2 libavformat
Writing to freed memory in write_section_data() patch by (Wolfram Gloger <wmglo dent dot med dot uni-muenchen de>)
| author | michael |
|---|---|
| date | Wed, 16 Feb 2005 23:04:11 +0000 |
| parents | 0a997108f384 |
| children | af4e24d6310c |
comparison
equal
deleted
inserted
replaced
| 674:b2ee9f2492d7 | 675:29a19aec26b2 |
|---|---|
| 114 static void write_section_data(AVFormatContext *s, MpegTSFilter *tss1, | 114 static void write_section_data(AVFormatContext *s, MpegTSFilter *tss1, |
| 115 const uint8_t *buf, int buf_size, int is_start) | 115 const uint8_t *buf, int buf_size, int is_start) |
| 116 { | 116 { |
| 117 MpegTSSectionFilter *tss = &tss1->u.section_filter; | 117 MpegTSSectionFilter *tss = &tss1->u.section_filter; |
| 118 int len; | 118 int len; |
| 119 unsigned int crc; | |
| 120 | 119 |
| 121 if (is_start) { | 120 if (is_start) { |
| 122 memcpy(tss->section_buf, buf, buf_size); | 121 memcpy(tss->section_buf, buf, buf_size); |
| 123 tss->section_index = buf_size; | 122 tss->section_index = buf_size; |
| 124 tss->section_h_size = -1; | 123 tss->section_h_size = -1; |
| 140 return; | 139 return; |
| 141 tss->section_h_size = len; | 140 tss->section_h_size = len; |
| 142 } | 141 } |
| 143 | 142 |
| 144 if (tss->section_h_size != -1 && tss->section_index >= tss->section_h_size) { | 143 if (tss->section_h_size != -1 && tss->section_index >= tss->section_h_size) { |
| 145 if (tss->check_crc) { | |
| 146 crc = mpegts_crc32(tss->section_buf, tss->section_h_size); | |
| 147 if (crc != 0) | |
| 148 goto invalid_crc; | |
| 149 } | |
| 150 tss->section_cb(tss->opaque, tss->section_buf, tss->section_h_size); | |
| 151 invalid_crc: | |
| 152 tss->end_of_section_reached = 1; | 144 tss->end_of_section_reached = 1; |
| 145 if (!tss->check_crc || | |
| 146 mpegts_crc32(tss->section_buf, tss->section_h_size) == 0) | |
| 147 tss->section_cb(tss->opaque, tss->section_buf, tss->section_h_size); | |
| 153 } | 148 } |
| 154 } | 149 } |
| 155 | 150 |
| 156 MpegTSFilter *mpegts_open_section_filter(MpegTSContext *ts, unsigned int pid, | 151 MpegTSFilter *mpegts_open_section_filter(MpegTSContext *ts, unsigned int pid, |
| 157 SectionCallback *section_cb, void *opaque, | 152 SectionCallback *section_cb, void *opaque, |
| 924 /* pointer field present */ | 919 /* pointer field present */ |
| 925 len = *p++; | 920 len = *p++; |
| 926 if (p + len > p_end) | 921 if (p + len > p_end) |
| 927 return; | 922 return; |
| 928 if (len && cc_ok) { | 923 if (len && cc_ok) { |
| 929 /* write remaning section bytes */ | 924 /* write remaining section bytes */ |
| 930 write_section_data(s, tss, | 925 write_section_data(s, tss, |
| 931 p, len, 0); | 926 p, len, 0); |
| 927 /* check whether filter has been closed */ | |
| 928 if (!ts->pids[pid]) | |
| 929 return; | |
| 932 } | 930 } |
| 933 p += len; | 931 p += len; |
| 934 if (p < p_end) { | 932 if (p < p_end) { |
| 935 write_section_data(s, tss, | 933 write_section_data(s, tss, |
| 936 p, p_end - p, 1); | 934 p, p_end - p, 1); |