avformat/ac3dec: Check buf2 before adding 16 in ac3_eac3_probe()
authorMichael Niedermayer <michael@niedermayer.cc>
Sat, 28 Oct 2017 14:16:46 +0000 (16:16 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sat, 28 Oct 2017 18:24:04 +0000 (20:24 +0200)
This is needed since e0250cf3651e6417e0117486a7816b45fb2d34cd as that uses end-buf2
Note, there are more than 16 bytes allocated beyond "end"

Fixes: regression (segfault) with probetest

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavformat/ac3dec.c

index 8ea7382..6f423ff 100644 (file)
@@ -47,8 +47,11 @@ static int ac3_eac3_probe(AVProbeData *p, enum AVCodecID expected_codec_id)
             uint16_t frame_size;
             int i, ret;
 
-            if(!memcmp(buf2, "\x1\x10\0\0\0\0\0\0", 8))
+            if(!memcmp(buf2, "\x1\x10\0\0\0\0\0\0", 8)) {
+                if (buf2 + 16 > end)
+                    break;
                 buf2+=16;
+            }
             if (buf[0] == 0x77 && buf[1] == 0x0B) {
                 for(i=0; i<8; i+=2) {
                     buf3[i  ] = buf2[i+1];