virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-04 22:03:09 +02:00
Code Issues Releases Activity

avformat/dashdec: Allocate space for appended "/"

Browse Source 
Fixes: writing 1 byte over the end of the array
Fixes: BIGSLEEP-433502298/test.xml

Found-by: Google Big Sleep

A prettier solution is welcome!
A testcase exists only for the baseurl case

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2025-07-28 23:41:56 +02:00
parent ff52147f59
commit ce0a655f85
1 changed files with 11 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
libavformat/dashdec.c
View File

@ -735,7 +735,7 @@ static int resolve_content_path(AVFormatContext *s, const char *url, int *max_ur
}
tmp_max_url_size = aligned(tmp_max_url_size);
text = av_mallocz(tmp_max_url_size);
text = av_mallocz(tmp_max_url_size + 1);
if (!text) {
updated = AVERROR(ENOMEM);
goto end;
@ -747,7 +747,7 @@ static int resolve_content_path(AVFormatContext *s, const char *url, int *max_ur
}
av_free(text);
path = av_mallocz(tmp_max_url_size);
path = av_mallocz(tmp_max_url_size + 2);
tmp_str = av_mallocz(tmp_max_url_size);
if (!tmp_str || !path) {
updated = AVERROR(ENOMEM);
@ -769,6 +769,15 @@ static int resolve_content_path(AVFormatContext *s, const char *url, int *max_ur
node = baseurl_nodes[rootId];
baseurl = xmlNodeGetContent(node);
if (baseurl) {
size_t len = xmlStrlen(baseurl)+2;
char *tmp = xmlRealloc(baseurl, len);
if (!tmp) {
updated = AVERROR(ENOMEM);
goto end;
}
baseurl = tmp;
}
root_url = (av_strcasecmp(baseurl, "")) ? baseurl : path;
if (node) {
xmlNodeSetContent(node, root_url);