From 27bb1ed348fc7ab7c77eec815d9cec95a526b27c Mon Sep 17 00:00:00 2001
From: Wolfram Gloger <wmglo@dent.med.uni-muenchen.de>
Date: Wed, 16 Feb 2005 23:04:11 +0000
Subject: [PATCH] Writing to freed memory in write_section_data() patch by
(Wolfram Gloger <wmglo dent dot med dot uni-muenchen de>)
Originally committed as revision 3957 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
libavformat/mpegts.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index f48055db448..d89258c44a9 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -116,7 +116,6 @@ static void write_section_data(AVFormatContext *s, MpegTSFilter *tss1,
{
MpegTSSectionFilter *tss = &tss1->u.section_filter;
int len;
- unsigned int crc;
if (is_start) {
memcpy(tss->section_buf, buf, buf_size);
@@ -142,14 +141,10 @@ static void write_section_data(AVFormatContext *s, MpegTSFilter *tss1,
}
if (tss->section_h_size != -1 && tss->section_index >= tss->section_h_size) {
- if (tss->check_crc) {
- crc = mpegts_crc32(tss->section_buf, tss->section_h_size);
- if (crc != 0)
- goto invalid_crc;
- }
- tss->section_cb(tss->opaque, tss->section_buf, tss->section_h_size);
- invalid_crc:
tss->end_of_section_reached = 1;
+ if (!tss->check_crc ||
+ mpegts_crc32(tss->section_buf, tss->section_h_size) == 0)
+ tss->section_cb(tss->opaque, tss->section_buf, tss->section_h_size);
}
}
@@ -926,9 +921,12 @@ static void handle_packet(MpegTSContext *ts, const uint8_t *packet)
if (p + len > p_end)
return;
if (len && cc_ok) {
- /* write remaning section bytes */
+ /* write remaining section bytes */
write_section_data(s, tss,
p, len, 0);
+ /* check whether filter has been closed */
+ if (!ts->pids[pid])
+ return;
}
p += len;
if (p < p_end) {
--
GitLab