[vlc-commits] ADTS in TS muxing: fix use after free

[Rafaël Carré]

vlc | branch: master | Rafaël Carré <funman at videolan.org> | Sat Mar  3 15:20:07 2012 -0500| [b2a7dd85fcd8c631e2777dbb7255521b01d18c51] | committer: Rafaël Carré

ADTS in TS muxing: fix use after free

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=b2a7dd85fcd8c631e2777dbb7255521b01d18c51
---

 modules/mux/mpeg/ts.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/mux/mpeg/ts.c b/modules/mux/mpeg/ts.c
index 2be8300..cd21b8a 100644
--- a/modules/mux/mpeg/ts.c
+++ b/modules/mux/mpeg/ts.c
@@ -1591,6 +1591,7 @@ static block_t *Add_ADTS( block_t *p_data, es_format_t *p_fmt )
     if( !p_data || p_fmt->i_extra < 2 || !p_extra )
         return p_data; /* no data to construct the headers */
 
+    size_t frame_length = p_data->i_buffer;
     int i_index = ( (p_extra[0] << 1) | (p_extra[1] >> 7) ) & 0x0f;
     int i_profile = (p_extra[0] >> 3) - 1; /* i_profile < 4 */
 
@@ -1621,7 +1622,7 @@ static block_t *Add_ADTS( block_t *p_data, es_format_t *p_fmt )
     p_buffer[0] = 0xff;
     p_buffer[1] = 0xf1; /* 0xf0 | 0x00 | 0x00 | 0x01 */
     p_buffer[2] = (i_profile << 6) | ((i_index & 0x0f) << 2) | ((i_channels >> 2) & 0x01) ;
-    p_buffer[3] = (i_channels << 6) | ((p_data->i_buffer >> 11) & 0x03);
+    p_buffer[3] = (i_channels << 6) | ((frame_length >> 11) & 0x03);
 
     /* variable header (starts at last 2 bits of 4th byte) */
 
@@ -1629,8 +1630,8 @@ static block_t *Add_ADTS( block_t *p_data, es_format_t *p_fmt )
     /* XXX: We should check if it's CBR or VBR, but no known implementation
      * do that, and it's a pain to calculate this field */
 
-    p_buffer[4] = p_data->i_buffer >> 3;
-    p_buffer[5] = ((p_data->i_buffer & 0x07) << 5) | ((i_fullness >> 6) & 0x1f);
+    p_buffer[4] = frame_length >> 3;
+    p_buffer[5] = ((frame_length & 0x07) << 5) | ((i_fullness >> 6) & 0x1f);
     p_buffer[6] = ((i_fullness & 0x3f) << 2) /* | 0xfc */;
 
     return p_new_block;