shithub: openh264

Download patch

ref: 0250acc665847e3fb63fe34d747c5cd5ec53fe6c
parent: d7304bbaf482c1ef1af0a05c499c1b51751b880f
parent: fc6ea7e5a8d65a5b1c56d84fe7204b6983cb6a7d
author: ruil2 <[email protected]>
date: Thu Jan 15 06:33:29 EST 2015

Merge pull request #1725 from ethanhugg/startcode2

gmp-openh264 should avoid writing outside the input frame buffer with start code.

--- a/module/gmp-openh264.cpp
+++ b/module/gmp-openh264.cpp
@@ -622,7 +622,9 @@
 
     case GMP_BufferLength32: {
       uint8_t* start_code = inputFrame->Buffer();
-      while (start_code < inputFrame->Buffer() + inputFrame->Size()) {
+      // start code should be at least four bytes from the end or we risk
+      // reading/writing outside the buffer.
+      while (start_code < inputFrame->Buffer() + inputFrame->Size() - 4) {
         static const uint8_t code[] = { 0x00, 0x00, 0x00, 0x01 };
         uint8_t* lenp = start_code;
         start_code += * (reinterpret_cast<int32_t*> (lenp));