diff options
author | Tim-Philipp Müller <tim.muller@collabora.co.uk> | 2009-07-31 20:25:17 +0100 |
---|---|---|
committer | Tim-Philipp Müller <tim.muller@collabora.co.uk> | 2009-07-31 23:54:47 +0100 |
commit | 93690bfdd65247709247d8d6e32f07111320ca14 (patch) | |
tree | cb5182d6634c9c9519dd3aa81c139693e6af5dad /gst | |
parent | 4e6fcd2345d208d029e46286c141a2f6b4ea5d7d (diff) |
flvmux: fix invalid write caused by using sizeof("string") as length
sizeof("foo") includes the string's NUL-terminator in the size returned,
but we're writing strings here with an explicit size at the beginning
and no NUL-terminator. In most cases using sizeof("foo") as length in
memcpy is not harmful, but it is where the string goes right at the
end of our buffer to write, since we don't allocate space for that
NUL terminator.
Diffstat (limited to 'gst')
-rw-r--r-- | gst/flv/gstflvmux.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/gst/flv/gstflvmux.c b/gst/flv/gstflvmux.c index 2b5caccf..ab385f0e 100644 --- a/gst/flv/gstflvmux.c +++ b/gst/flv/gstflvmux.c @@ -600,8 +600,8 @@ gst_flv_mux_write_metadata (GstFlvMux * mux) data = GST_BUFFER_DATA (tmp); data[0] = 2; /* string */ data[1] = 0; - data[2] = 0x0a; /* length 10 */ - memcpy (&data[3], "onMetaData", sizeof ("onMetaData")); + data[2] = 10; /* length 10 */ + memcpy (&data[3], "onMetaData", 10); script_tag = gst_buffer_join (script_tag, tmp); @@ -682,7 +682,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux) data = GST_BUFFER_DATA (tmp); data[0] = 0; /* 8 bytes name */ data[1] = 8; - memcpy (&data[2], "duration", sizeof ("duration")); + memcpy (&data[2], "duration", 8); data[10] = 0; /* double */ GST_WRITE_DOUBLE_BE (data + 11, d); script_tag = gst_buffer_join (script_tag, tmp); @@ -713,7 +713,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux) data = GST_BUFFER_DATA (tmp); data[0] = 0; /* 12 bytes name */ data[1] = 12; - memcpy (&data[2], "AspectRatioX", sizeof ("AspectRatioX")); + memcpy (&data[2], "AspectRatioX", 12); data[14] = 0; /* double */ GST_WRITE_DOUBLE_BE (data + 15, d); script_tag = gst_buffer_join (script_tag, tmp); @@ -724,7 +724,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux) data = GST_BUFFER_DATA (tmp); data[0] = 0; /* 12 bytes name */ data[1] = 12; - memcpy (&data[2], "AspectRatioY", sizeof ("AspectRatioY")); + memcpy (&data[2], "AspectRatioY", 12); data[14] = 0; /* double */ GST_WRITE_DOUBLE_BE (data + 15, d); script_tag = gst_buffer_join (script_tag, tmp); @@ -740,7 +740,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux) data = GST_BUFFER_DATA (tmp); data[0] = 0; /* 15 bytes name */ data[1] = 15; - memcpy (&data[2], "metadatacreator", sizeof ("metadatacreator")); + memcpy (&data[2], "metadatacreator", 15); data[17] = 2; /* string */ data[18] = (strlen (s) >> 8) & 0xff; data[19] = (strlen (s)) & 0xff; @@ -775,7 +775,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux) data = GST_BUFFER_DATA (tmp); data[0] = 0; /* 12 bytes name */ data[1] = 12; - memcpy (&data[2], "creationdate", sizeof ("creationdate")); + memcpy (&data[2], "creationdate", 12); data[14] = 2; /* string */ data[15] = (strlen (s) >> 8) & 0xff; data[16] = (strlen (s)) & 0xff; @@ -1019,7 +1019,7 @@ gst_flv_mux_write_index (GstFlvMux * mux) data[0] = 2; /* string */ data[1] = 0; data[2] = 0x0a; /* length 10 */ - memcpy (&data[3], "onMetaData", sizeof ("onMetaData")); + memcpy (&data[3], "onMetaData", 10); script_tag = gst_buffer_join (script_tag, tmp); |