From bf87908cd8da31e8f8fe75c06577170928ea70a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Jul 2013 23:38:08 +0200 Subject: [PATCH] rmdec: Pass AVIOContext to rm_read_metadata() Fix null pointer dereference Fixes Ticket2588 Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 13d1d25758..2c4ed49c12 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -95,13 +95,14 @@ static int rm_read_extradata(AVIOContext *pb, AVCodecContext *avctx, unsigned si return 0; } -static void rm_read_metadata(AVFormatContext *s, int wide) +static void rm_read_metadata(AVFormatContext *s, AVIOContext *pb, int wide) { char buf[1024]; int i; + for (i=0; ipb) : avio_r8(s->pb); - get_strl(s->pb, buf, sizeof(buf), len); + int len = wide ? avio_rb16(pb) : avio_r8(pb); + get_strl(pb, buf, sizeof(buf), len); av_dict_set(&s->metadata, ff_rm_metadata[i], buf, 0); } } @@ -134,7 +135,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, avio_skip(pb, 8); bytes_per_minute = avio_rb16(pb); avio_skip(pb, 4); - rm_read_metadata(s, 0); + rm_read_metadata(s, pb, 0); if ((startpos + header_size) >= avio_tell(pb) + 2) { // fourcc (should always be "lpcJ") avio_r8(pb); @@ -293,7 +294,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, avio_r8(pb); avio_r8(pb); avio_r8(pb); - rm_read_metadata(s, 0); + rm_read_metadata(s, pb, 0); } } return 0; @@ -516,7 +517,7 @@ static int rm_read_header(AVFormatContext *s) flags = avio_rb16(pb); /* flags */ break; case MKTAG('C', 'O', 'N', 'T'): - rm_read_metadata(s, 1); + rm_read_metadata(s, pb, 1); break; case MKTAG('M', 'D', 'P', 'R'): st = avformat_new_stream(s, NULL);