virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-10 06:10:52 +02:00
Code Issues Releases Activity

avformat/mxfdec: Don't use wrong type of pointer

Browse Source 
If one of the two results of a ternary conditional is a pointer to void,
the type of the whole conditional operator is a pointer to void, even
when the other possible result is not a pointer to void. This loophole
in the type system has allowed mxf_read_local_tags to have a pointer of
type pointer to MXFMetadataSet that actually points to an MXFContext.

Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
This commit is contained in:
Andreas Rheinhardt
2021-03-12 12:59:47 +01:00
parent 5edcdfc318
commit 9224b1f6b3
1 changed files with 20 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
libavformat/mxfdec.c
View File

@@ -2889,13 +2889,20 @@ static int mxf_metadataset_init(MXFMetadataSet *ctx, enum MXFMetadataSetType typ
static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadFunc *read_child, int ctx_size, enum MXFMetadataSetType type) static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadFunc *read_child, int ctx_size, enum MXFMetadataSetType type)
{ {
AVIOContext *pb = mxf->fc->pb; AVIOContext *pb = mxf->fc->pb;
MXFMetadataSet *ctx = ctx_size ? av_mallocz(ctx_size) : mxf;
uint64_t klv_end = avio_tell(pb) + klv->length; uint64_t klv_end = avio_tell(pb) + klv->length;
MXFMetadataSet *meta;
void *ctx;
if (!ctx) if (ctx_size) {
return AVERROR(ENOMEM); meta = av_mallocz(ctx_size);
if (ctx_size) if (!meta)
mxf_metadataset_init(ctx, type); return AVERROR(ENOMEM);
ctx = meta;
mxf_metadataset_init(meta, type);
} else {
meta = NULL;
ctx = mxf;
}
while (avio_tell(pb) + 4 < klv_end && !avio_feof(pb)) { while (avio_tell(pb) + 4 < klv_end && !avio_feof(pb)) {
int ret; int ret;
int tag = avio_rb16(pb); int tag = avio_rb16(pb);
@@ -2922,19 +2929,20 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF
} }
} }
} }
if (ctx_size && tag == 0x3C0A) { if (meta && tag == 0x3C0A) {
avio_read(pb, ctx->uid, 16); avio_read(pb, meta->uid, 16);
} else if ((ret = read_child(ctx, pb, tag, size, uid, -1)) < 0) { } else if ((ret = read_child(ctx, pb, tag, size, uid, -1)) < 0) {
if (ctx_size) if (meta) {
mxf_free_metadataset(&ctx, 1); mxf_free_metadataset(&meta, 1);
}
return ret; return ret;
} }
/* Accept the 64k local set limit being exceeded (Avid). Don't accept /* Accept the 64k local set limit being exceeded (Avid). Don't accept
* it extending past the end of the KLV though (zzuf5.mxf). */ * it extending past the end of the KLV though (zzuf5.mxf). */
if (avio_tell(pb) > klv_end) { if (avio_tell(pb) > klv_end) {
if (ctx_size) { if (meta) {
mxf_free_metadataset(&ctx, 1); mxf_free_metadataset(&meta, 1);
} }
av_log(mxf->fc, AV_LOG_ERROR, av_log(mxf->fc, AV_LOG_ERROR,
@@ -2944,7 +2952,7 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF
} else if (avio_tell(pb) <= next) /* only seek forward, else this can loop for a long time */ } else if (avio_tell(pb) <= next) /* only seek forward, else this can loop for a long time */
avio_seek(pb, next, SEEK_SET); avio_seek(pb, next, SEEK_SET);
} }
return ctx_size ? mxf_add_metadata_set(mxf, &ctx) : 0; return meta ? mxf_add_metadata_set(mxf, &meta) : 0;
} }
/** /**