From 54a09f18e3d1d3f049c72878f1c891ab0336408a Mon Sep 17 00:00:00 2001
From: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Date: Sun, 6 Nov 2011 01:33:31 +0100
Subject: Fix av_packet_split_side_data.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

p cannot be calculated before av_dup_packet since that one
might change avpkt->data, causing invalid reads and a
non-working range check.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
---
 libavcodec/avpacket.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'libavcodec/avpacket.c')

diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c
index ff34285b48..a4bd442176 100644
--- a/libavcodec/avpacket.c
+++ b/libavcodec/avpacket.c
@@ -237,10 +237,11 @@ int av_packet_split_side_data(AVPacket *pkt){
     if (!pkt->side_data_elems && pkt->size >12 && AV_RB64(pkt->data + pkt->size - 8) == FF_MERGE_MARKER){
         int i;
         unsigned int size;
-        uint8_t *p= pkt->data + pkt->size - 8 - 5;
+        uint8_t *p;
 
         av_dup_packet(pkt);
 
+        p = pkt->data + pkt->size - 8 - 5;
         for (i=1; ; i++){
             size = AV_RB32(p);
             if (size>INT_MAX || p - pkt->data <= size)
-- 
cgit v1.2.3