From 2115a3597457231a6e5c0527fe0ff8550f64b733 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Mon, 13 Jan 2014 13:47:07 +0100
Subject: lavf: make av_probe_input_buffer more robust

Always use the actually read size as the offset instead of making
possibly invalid assumptions.

Addresses: CVE-2012-6618
---
 libavformat/utils.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'libavformat/utils.c')

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 460ec4514e..db92f81a26 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -263,12 +263,11 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
     for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt;
         probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) {
         int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0;
-        int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1;
 
         /* read probe data */
         if ((ret = av_reallocp(&buf, probe_size + AVPROBE_PADDING_SIZE)) < 0)
             return ret;
-        if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) {
+        if ((ret = avio_read(pb, buf + pd.buf_size, probe_size - pd.buf_size)) < 0) {
             /* fail if error was not end of file, otherwise, lower score */
             if (ret != AVERROR_EOF) {
                 av_free(buf);
-- 
cgit v1.2.3