summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTim-Philipp Müller <tim.muller@collabora.co.uk>2009-07-31 20:25:17 +0100
committerTim-Philipp Müller <tim.muller@collabora.co.uk>2009-07-31 23:54:47 +0100
commit93690bfdd65247709247d8d6e32f07111320ca14 (patch)
treecb5182d6634c9c9519dd3aa81c139693e6af5dad
parent4e6fcd2345d208d029e46286c141a2f6b4ea5d7d (diff)
flvmux: fix invalid write caused by using sizeof("string") as length
sizeof("foo") includes the string's NUL-terminator in the size returned, but we're writing strings here with an explicit size at the beginning and no NUL-terminator. In most cases using sizeof("foo") as length in memcpy is not harmful, but it is where the string goes right at the end of our buffer to write, since we don't allocate space for that NUL terminator.
Diffstat
-rw-r--r--gst/flv/gstflvmux.c16
1 files changed, 8 insertions, 8 deletions
diff --git a/gst/flv/gstflvmux.c b/gst/flv/gstflvmux.c
index 2b5caccf..ab385f0e 100644
--- a/gst/flv/gstflvmux.c
+++ b/gst/flv/gstflvmux.c
@@ -600,8 +600,8 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
data = GST_BUFFER_DATA (tmp);
data[0] = 2; /* string */
data[1] = 0;
- data[2] = 0x0a; /* length 10 */
- memcpy (&data[3], "onMetaData", sizeof ("onMetaData"));
+ data[2] = 10; /* length 10 */
+ memcpy (&data[3], "onMetaData", 10);
script_tag = gst_buffer_join (script_tag, tmp);
@@ -682,7 +682,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
data = GST_BUFFER_DATA (tmp);
data[0] = 0; /* 8 bytes name */
data[1] = 8;
- memcpy (&data[2], "duration", sizeof ("duration"));
+ memcpy (&data[2], "duration", 8);
data[10] = 0; /* double */
GST_WRITE_DOUBLE_BE (data + 11, d);
script_tag = gst_buffer_join (script_tag, tmp);
@@ -713,7 +713,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
data = GST_BUFFER_DATA (tmp);
data[0] = 0; /* 12 bytes name */
data[1] = 12;
- memcpy (&data[2], "AspectRatioX", sizeof ("AspectRatioX"));
+ memcpy (&data[2], "AspectRatioX", 12);
data[14] = 0; /* double */
GST_WRITE_DOUBLE_BE (data + 15, d);
script_tag = gst_buffer_join (script_tag, tmp);
@@ -724,7 +724,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
data = GST_BUFFER_DATA (tmp);
data[0] = 0; /* 12 bytes name */
data[1] = 12;
- memcpy (&data[2], "AspectRatioY", sizeof ("AspectRatioY"));
+ memcpy (&data[2], "AspectRatioY", 12);
data[14] = 0; /* double */
GST_WRITE_DOUBLE_BE (data + 15, d);
script_tag = gst_buffer_join (script_tag, tmp);
@@ -740,7 +740,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
data = GST_BUFFER_DATA (tmp);
data[0] = 0; /* 15 bytes name */
data[1] = 15;
- memcpy (&data[2], "metadatacreator", sizeof ("metadatacreator"));
+ memcpy (&data[2], "metadatacreator", 15);
data[17] = 2; /* string */
data[18] = (strlen (s) >> 8) & 0xff;
data[19] = (strlen (s)) & 0xff;
@@ -775,7 +775,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
data = GST_BUFFER_DATA (tmp);
data[0] = 0; /* 12 bytes name */
data[1] = 12;
- memcpy (&data[2], "creationdate", sizeof ("creationdate"));
+ memcpy (&data[2], "creationdate", 12);
data[14] = 2; /* string */
data[15] = (strlen (s) >> 8) & 0xff;
data[16] = (strlen (s)) & 0xff;
@@ -1019,7 +1019,7 @@ gst_flv_mux_write_index (GstFlvMux * mux)
data[0] = 2; /* string */
data[1] = 0;
data[2] = 0x0a; /* length 10 */
- memcpy (&data[3], "onMetaData", sizeof ("onMetaData"));
+ memcpy (&data[3], "onMetaData", 10);
script_tag = gst_buffer_join (script_tag, tmp);
generated by cgit (git 2.34.1) at 2024-06-22 20:09:14 +0000